Logic Flaw in Simple Shopping Cart Plugin for WordPress
CVE-2025-3530

7.5HIGH

Key Information:

Vendor: WordPress
Status: WordPress Simple Shopping Cart
Vendor: CVE Published:; 23 April 2025

What is CVE-2025-3530?

The Simple Shopping Cart plugin for WordPress contains a logic flaw that allows an attacker to manipulate product prices. This vulnerability arises from the inconsistent use of parameters during the cart addition process. Specifically, while the plugin generates a security hash using the 'product_tmp_two' parameter to prevent price tampering, it displays the product using 'wspsc_product'. This inconsistency enables an unauthenticated attacker to replace product details with those from a less expensive item, thus facilitating payment bypass for higher-priced products. It is crucial for users to ensure they are using the latest version of the plugin to mitigate this risk.

Affected Version(s)

WordPress Simple Shopping Cart * <= 5.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wordpress-simp...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2025
Vulnerability Reserved
Apr 11, 2025

Credit

Jack Taylor