vulnerability

WordPress Plugin: wordpress-simple-paypal-shopping-cart: CVE-2025-3874: Authorization Bypass Through User-Controlled Key

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

Apr 30, 2025

Added

May 15, 2025

Modified

Apr 29, 2026

Description

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes.

Solution

wordpress-simple-paypal-shopping-cart-plugin-cve-2025-3874

References

https://www.cve.org/CVERecord?id=CVE-2025-3874
https://www.wordfence.com/threat-intel/vulnerabilities/id/4fed59bf-885b-4a06-aff2-8e5ab5f83ba7?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-15024
CVE-2025-3874
https://attackerkb.com/topics/CVE-2025-3874
CWE-639
EUVD-EUVD-2025-15024

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report