Insecure Direct Object Reference Vulnerability in Simple Shopping Cart Plugin for WordPress
CVE-2025-3889

5.3MEDIUM

Key Information:

Vendor
WordPress
Status
WordPress Simple Shopping Cart
Vendor
CVE Published:
1 May 2025

Summary

The Simple Shopping Cart plugin for WordPress is vulnerable to an Insecure Direct Object Reference due to inadequate data validation in the 'process_payment_data' function. This flaw allows unauthenticated attackers to exploit the application by altering the product quantity to a negative value, effectively reducing the total order cost. This attack is only viable when using the Manual Checkout mode since other payment processors like PayPal and Stripe will reject any payments processed for a negative quantity.

Affected Version(s)

WordPress Simple Shopping Cart * <= 5.1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wordpress-simp...
https://www.tipsandtricks-hq.com/ecommerce/wp-shopping-cart

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jack Taylor
.
CVE-2025-3889 : Insecure Direct Object Reference Vulnerability in Simple Shopping Cart Plugin for WordPress | SecurityVulnerability.io