Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Unauthenticated network IDOR with no user interaction reads other users' plugin data; confidentiality high, no integrity or availability impact, scope unchanged.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions.
AnalysisAI
Unauthorized data access in the WordPress Simple Shopping Cart plugin (versions <= 5.2.9) allows remote unauthenticated attackers to retrieve sensitive information belonging to other users through an Insecure Direct Object Reference (IDOR) flaw. Per the CVSS vector (AV:N/AC:L/PR:N/UI:N), exploitation is network-reachable with low complexity and no authentication. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The affected component is the Simple Shopping Cart plugin (also tracked as 'WordPress Simple PayPal Shopping Cart') developed by mra13 / Tips and Tricks HQ, a WordPress e-commerce extension that adds cart, checkout, and order management features to WordPress sites. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), in which the application exposes object identifiers (such as order, cart, or customer record IDs) in client-supplied parameters without validating that the requesting principal is authorized to access the referenced object. CPE cpe:2.3:a:mra13_/_team_tips_and_tricks_hq:simple_shopping_cart:*:*:*:*:*:*:*:* confirms the affected application is the WordPress plugin family rather than a separately distributed product.
RemediationAI
Patch available per vendor advisory - upgrade the Simple Shopping Cart (WordPress Simple PayPal Shopping Cart) plugin to a version newer than 5.2.9 as published by Tips and Tricks HQ, consulting the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wordpress-simple-paypal-shopping-cart/vulnerability/wordpress-simple-shopping-cart-plugin-5-2-9-insecure-direct-object-references-idor-vulnerability for the exact fixed release number, which is not enumerated in the input data. If immediate patching is not possible, deactivate and delete the plugin (side effect: cart and checkout functionality will be unavailable) or place the WordPress site behind a WAF and add rules that block direct access to cart, order, or customer endpoints with numeric IDs that do not match the requesting session (side effect: may break legitimate share-cart or guest-checkout flows), and monitor web access logs for sequential or enumerated ID requests against the plugin's endpoints.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36847
GHSA-48rr-4889-hv7w