Insecure Direct Object Reference Vulnerability in Simple Shopping Cart Plugin for WordPress
CVE-2025-3874

6.5MEDIUM

Key Information:

Vendor

WordPress
Status
WordPress Simple Shopping Cart
Vendor
CVE Published:
1 May 2025

What is CVE-2025-3874?

The Simple Shopping Cart plugin for WordPress contains a vulnerability that allows unauthenticated attackers to exploit Insecure Direct Object Reference. This issue arises from the absence of randomization in a user-controlled key, enabling unauthorized access to customer shopping carts. Attackers can manipulate product links, add or remove products, and uncover coupon codes, which poses significant risks to both customers and businesses utilizing the plugin. It highlights the need for security measures to safeguard sensitive customer data and maintain the integrity of shopping experiences in vulnerable e-commerce platforms.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

WordPress Simple Shopping Cart * <= 5.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wordpress-simp...
https://plugins.trac.wordpress.org/browser/wordpress-simp...

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jack Taylor
JSON
.