{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3874", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-22T16:33:30.164Z", "datePublished": "2025-05-01T11:11:41.924Z", "dateUpdated": "2026-04-08T16:52:11.176Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:11.176Z"}, "affected": [{"vendor": "mra13", "product": "Simple Shopping Cart", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes."}], "title": "WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fed59bf-885b-4a06-aff2-8e5ab5f83ba7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L68"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L525"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L265"}, {"url": "https://www.tipsandtricks-hq.com/ecommerce/wp-shopping-cart"}, {"url": "https://developer.wordpress.org/reference/functions/wp_generate_password/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3284572/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jack Taylor"}], "timeline": [{"time": "2025-04-30T22:01:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-01T13:46:22.092517Z", "id": "CVE-2025-3874", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T13:46:41.298Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3874", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-01T13:46:22.092517Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T13:46:31.537Z"}}], "cna": {"title": "WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference", "credits": [{"lang": "en", "type": "finder", "value": "Jack Taylor"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "mra13", "product": "WordPress Simple Shopping Cart", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-30T22:01:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fed59bf-885b-4a06-aff2-8e5ab5f83ba7?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L68"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L525"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L158"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L265"}, {"url": "https://www.tipsandtricks-hq.com/ecommerce/wp-shopping-cart"}, {"url": "https://developer.wordpress.org/reference/functions/wp_generate_password/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3284572/"}], "descriptions": [{"lang": "en", "value": "The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-05-01T11:11:41.924Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3874", "state": "PUBLISHED", "dateUpdated": "2025-05-01T13:46:41.298Z", "dateReserved": "2025-04-22T16:33:30.164Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-01T11:11:41.924Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tipsandtricks-hq:wordpress_simple_paypal_shopping_cart:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D17656F6-1EC3-497A-8471-FEEEAE9B5173", "versionEndExcluding": "5.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes."}, {"lang": "es", "value": "El complemento Simple Shopping Cart para WordPress es vulnerable a una Referencia Directa a Objetos Insegura en todas las versiones hasta la 5.1.3 incluida, debido a la falta de aleatorizaci\u00f3n de una clave controlada por el usuario. Esto permite a atacantes no autenticados acceder a los carritos de compra de los clientes, editar enlaces de productos, a\u00f1adir o eliminar productos y descubrir c\u00f3digos de cup\u00f3n."}], "id": "CVE-2025-3874", "lastModified": "2025-05-06T15:39:29.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-01T12:15:17.400", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://developer.wordpress.org/reference/functions/wp_generate_password/"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L32"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L68"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L158"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L265"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L525"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3284572/"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://www.tipsandtricks-hq.com/ecommerce/wp-shopping-cart"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4fed59bf-885b-4a06-aff2-8e5ab5f83ba7?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:01:36.267641+00:00", "value": {"mitigation_remediation": ["Upgrade the Simple PayPal Shopping Cart plugin to the latest released version that addresses the insecure direct object reference.", "If an upgrade is not immediately possible, enforce an authentication check so that only logged\u2011in, authorized users can request or modify cart data; add explicit access\u2011control validation for the cart key.", "Implement or enforce key randomization or a cryptographically secure, unguessable token when generating or validating cart identifiers, ensuring that attackers cannot predict or enumerate cart references."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated data access and modification"}, "threat_synthesis": {"affected_systems": "The security issue affects the Simple PayPal Shopping Cart plugin written by mra13, specifically all versions up to and including 5.1.3 that are installed on WordPress sites. Any user running a vulnerable instance, regardless of the WordPress theme or host, is exposed to this flaw.", "description_and_impact": "The WordPress Simple PayPal Shopping Cart plugin for WordPress suffers from an insecure direct object reference vulnerability. Because the plugin does not randomize a user\u2011controlled key, an attacker can construct a request that references any shopping cart or product. This allows unauthenticated users to read customer cart contents, modify product links, add or delete products, and discover coupon codes. The weakness aligns with CWE\u2011639 and directly compromises both confidentiality and integrity of e\u2011commerce data.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a medium severity vulnerability. With an EPSS score of less than 1%, current exploitation probability remains low, and the vulnerability is not listed in the CISA KEV catalog. However, the attack requires no authentication and can be carried out by sending a crafted request that includes the predictable key, meaning that a determined attacker could discover or guess keys to access or alter cart information. Because the flaw depends on a direct reference, a site lacking additional controls is especially at risk."}}}}, "created": "2026-04-21T21:15:45.443544+00:00", "updated": "2026-04-21T21:15:45.443555+00:00", "vendors": []}