{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3889", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-22T23:10:04.442Z", "datePublished": "2025-05-01T11:11:41.530Z", "dateUpdated": "2026-04-08T16:48:35.209Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:35.209Z"}, "affected": [{"vendor": "mra13", "product": "Simple Shopping Cart", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the quantity of a product to a negative number, which subtracts the product cost from the total order cost. The attack will only work with Manual Checkout mode, as PayPal and Stripe will not process payments for a negative quantity."}], "title": "WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/41212533-535e-4a9e-a9b8-1240021a3752?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L324"}, {"url": "https://www.tipsandtricks-hq.com/ecommerce/wp-shopping-cart"}, {"url": "https://www.tipsandtricks-hq.com/ecommerce/simple-shopping-cart-enabling-manual-offline-checkout"}, {"url": "https://plugins.trac.wordpress.org/changeset/3284572/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jack Taylor"}], "timeline": [{"time": "2025-04-30T22:01:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-01T13:47:44.668575Z", "id": "CVE-2025-3889", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T13:49:29.539Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3889", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-01T13:47:44.668575Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-01T13:49:23.767Z"}}], "cna": {"title": "WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'", "credits": [{"lang": "en", "type": "finder", "value": "Jack Taylor"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "mra13", "product": "Simple Shopping Cart", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-30T22:01:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/41212533-535e-4a9e-a9b8-1240021a3752?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L324"}, {"url": "https://www.tipsandtricks-hq.com/ecommerce/wp-shopping-cart"}, {"url": "https://www.tipsandtricks-hq.com/ecommerce/simple-shopping-cart-enabling-manual-offline-checkout"}, {"url": "https://plugins.trac.wordpress.org/changeset/3284572/"}], "descriptions": [{"lang": "en", "value": "The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the quantity of a product to a negative number, which subtracts the product cost from the total order cost. The attack will only work with Manual Checkout mode, as PayPal and Stripe will not process payments for a negative quantity."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:48:35.209Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3889", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:48:35.209Z", "dateReserved": "2025-04-22T23:10:04.442Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-01T11:11:41.530Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tipsandtricks-hq:wordpress_simple_paypal_shopping_cart:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D17656F6-1EC3-497A-8471-FEEEAE9B5173", "versionEndExcluding": "5.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the quantity of a product to a negative number, which subtracts the product cost from the total order cost. The attack will only work with Manual Checkout mode, as PayPal and Stripe will not process payments for a negative quantity."}, {"lang": "es", "value": "El complemento Simple Shopping Cart para WordPress es vulnerable a una Referencia Directa a Objetos Insegura en todas las versiones hasta la 5.1.3 incluida, a trav\u00e9s de 'process_payment_data', debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto permite a atacantes no autenticados cambiar la cantidad de un producto a un n\u00famero negativo, lo que resta el coste del producto del coste total del pedido. El ataque solo funciona con el modo de pago manual, ya que PayPal y Stripe no procesan pagos por cantidades negativas."}], "id": "CVE-2025-3889", "lastModified": "2025-05-06T15:39:43.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-01T12:15:17.630", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L324"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3284572/"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://www.tipsandtricks-hq.com/ecommerce/simple-shopping-cart-enabling-manual-offline-checkout"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://www.tipsandtricks-hq.com/ecommerce/wp-shopping-cart"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/41212533-535e-4a9e-a9b8-1240021a3752?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T01:37:10.458586+00:00", "value": {"mitigation_remediation": ["Upgrade the WordPress Simple Shopping Cart plugin to the latest available version that removes the vulnerability.", "If an immediate upgrade is not possible, disable the Manual Checkout mode so that PayPal or Stripe processing blocks negative quantities.", "Review recent orders for negative totals and issue refunds or corrections as needed."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized quantity manipulation resulting in negative order totals"}, "threat_synthesis": {"affected_systems": "All installations of the WordPress Simple Shopping Cart plugin up to and including version\u202f5.1.3 on WordPress sites. The affected component is the process_payment_data handler within the plugin. Users of older versions that still allow manual processing are at risk.", "description_and_impact": "The WordPress Simple Shopping Cart plugin permits an unauthenticated attacker to alter the 'quantity' parameter in the process_payment_data request. This missing validation allows setting a negative quantity, which reduces the total order cost by the product amount. The flaw does not affect PayPal or Stripe processing, but it is exploitable when the site uses Manual Checkout, enabling the attacker to obtain refunds or fake lower charges.", "risk_and_exploitability": "The CVSS base score is 5.3, indicating a moderate severity. The EPSS score is below 1\u202f%, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. However, because the attacker only needs to submit a crafted request and no privileged credentials are required, the attack could be automated if a manual checkout path is enabled. The impact on confidentiality is negligible, but integrity is compromised as an attacker can artificially lower transaction amounts, potentially leading to financial loss or unauthorized refunds."}}}}, "created": "2026-04-22T01:45:05.621026+00:00", "updated": "2026-04-22T01:45:05.621037+00:00", "vendors": []}