WordPress Simple PayPal Shopping Cart < 5.1.4 – Insecure Direct Object Reference | CVE 2025-3874 | Plugin Vulnerabilities

Description

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes.

Affects Plugins

wordpress-simple-paypal-shopping-cart

Fixed in 5.1.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/4fed59bf-885b-4a06-aff2-8e5ab5f83ba7

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Jack Taylor

Verified

No

WPVDB ID

50813b06-f544-4587-a370-1cd5658c9554

Timeline

Publicly Published

2025-04-30 (about 1 year ago)

Added

2025-04-30 (about 1 year ago)

Last Updated

2025-05-01 (about 1 year ago)

Other

Published

Title

Published

2026-06-02

Title

Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download

Published

2026-05-01

Title

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible < 6.7.26 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion

Published

2023-08-01

Title

Stripe Payment Plugin for WooCommerce < 3.7.8 - Authentication Bypass

Published

2025-11-11

Title

GeoDirectory – WP Business Directory Plugin and Classified Listings Directory < 2.8.140 - Missing Authorization to Authenticated (Author+) Arbitrary Image Attachment

Published

2024-12-23

Title

Content No Cache: prevent specific content from being cached < 0.1.3 - Unauthenticated Private Content Disclosure