CVE-2025-3874
MEDIUMCVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes.
AnalysisAI
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-639. The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes. Affected products include: Tipsandtricks-Hq Wordpress Simple Paypal Shopping Cart.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Share
External POC / Exploit Code
Leaving vuln.today