Insecure Direct Object Reference Vulnerability in Simple Shopping Cart Plugin for WordPress
CVE-2025-3874

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: WordPress Simple Shopping Cart
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-3874?

The Simple Shopping Cart plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit Insecure Direct Object Reference. This issue arises from the absence of randomization in a user-controlled key, enabling unauthorized access to customer shopping carts. Attackers can manipulate product links, add or remove products, and uncover coupon codes, which poses significant risks to both customers and businesses utilizing the plugin. It highlights the need for security measures to safeguard sensitive customer data and maintain the integrity of shopping experiences in vulnerable e-commerce platforms.

Affected Version(s)

WordPress Simple Shopping Cart * <= 5.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wordpress-simp...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
Apr 22, 2025

Credit

Jack Taylor