Unauthorized Data Access in Welcart e-Commerce Plugin for WordPress
CVE-2025-12979

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Welcart E-commerce
Vendor: CVE Published:; 13 November 2025

What is CVE-2025-12979?

The Welcart e-Commerce plugin for WordPress has a security flaw that allows unauthorized users to exploit the 'usces_export' action, resulting in access to sensitive payment credentials, business contact information, mail templates, and other critical settings associated with the online store. This vulnerability arises from a lack of proper capability checks in the plugin, making it essential for users to take preventative measures.

Affected Version(s)

Welcart e-Commerce * <= 2.11.24

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 13, 2025
Vulnerability Reserved
Nov 10, 2025

Credit

Marcin Dudek

JSON