CVE-2025-3874
📋 TL;DR
The WordPress Simple Shopping Cart plugin has an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to access and manipulate customer shopping carts. Attackers can edit product links, add/delete products, and discover coupon codes. All WordPress sites using this plugin up to version 5.1.3 are affected.
💻 Affected Systems
- WordPress Simple Shopping Cart plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate shopping carts to redirect payments, steal coupon codes, or delete products, potentially causing financial loss and business disruption.
Likely Case
Unauthenticated attackers accessing and modifying shopping carts, potentially altering prices or redirecting purchases.
If Mitigated
Limited impact with proper monitoring and quick patching, though some cart manipulation may still occur before detection.
🎯 Exploit Status
The vulnerability stems from predictable cart identifiers that can be easily enumerated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.1.4 or later
Vendor Advisory: https://wordpress.org/plugins/wordpress-simple-paypal-shopping-cart/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'WordPress Simple Shopping Cart'
4. Click 'Update Now' if available
5. If no update appears, manually download version 5.1.4+ from WordPress.org
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate wordpress-simple-paypal-shopping-cart
🧯 If You Can't Patch
- Implement web application firewall rules to block suspicious cart manipulation requests
- Monitor access logs for unusual patterns of cart ID enumeration
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'WordPress Simple Shopping Cart' versionCheck Version:
wp plugin get wordpress-simple-paypal-shopping-cart --field=versionVerify Fix Applied:
Confirm plugin version is 5.1.4 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Multiple sequential cart ID requests from single IP
- Unauthenticated requests to cart manipulation endpoints
Network Indicators:
- HTTP requests with predictable cart ID patterns
- Unusual spikes in cart-related API calls
SIEM Query:
source="wordpress.log" AND ("cart" OR "wpsc") AND status=200 AND user="-" | stats count by src_ip🔗 References
- https://developer.wordpress.org/reference/functions/wp_generate_password/
- https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L32
- https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/includes/class-wpsc-cart.php#L68
- https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L158
- https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L265
- https://plugins.trac.wordpress.org/browser/wordpress-simple-paypal-shopping-cart/tags/5.1.2/wp_shopping_cart.php#L525
- https://plugins.trac.wordpress.org/changeset/3284572/
- https://www.tipsandtricks-hq.com/ecommerce/wp-shopping-cart
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4fed59bf-885b-4a06-aff2-8e5ab5f83ba7?source=cve
