vulnerability
WordPress Plugin: wordpress-simple-paypal-shopping-cart: CVE-2025-3530: External Control of Assumed-Immutable Web Parameter
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:C/A:N) | Apr 22, 2025 | May 15, 2025 | May 15, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:C/A:N)
Published
Apr 22, 2025
Added
May 15, 2025
Modified
May 15, 2025
Description
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.
Solution
wordpress-simple-paypal-shopping-cart-plugin-cve-2025-3530
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.