Description
Improper Validation of Specified Quantity in Input vulnerability in Convers Lab WP SmartPay smartpay.This issue affects WP SmartPay: from n/a through <= 2.8.2.
Published: 2025-09-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper validation of the quantity field in Convers Lab's WP SmartPay plugin allows an attacker to supply an arbitrary quantity value, causing the calculated payment amount to differ from the intended price. This flaw can lead to financial loss or revenue leakage for site owners and can also undermine customer trust. The weakness is related to the input validation subclass that fails to enforce correct boundaries for user‑supplied numeric data.

Affected Systems

Convers Lab:WP SmartPay is affected, with the vulnerability present in all product releases up to and including version 2.8.2. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% reflects a low estimated probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog, so there is no indication of active exploitation. Attackers would likely exploit the flaw through normal use of the purchase flow or by forging requests to the payment form; no privileged access or unusual conditions are mentioned in the description.

Generated by OpenCVE AI on May 1, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s plugin page for a patch or newer release that addresses the quantity validation flaw. Upgrade to the latest available version if a fix is released.
  • Disable or remove the plugin until a patched version is available if the site requires immediate exposure mitigation.
  • Ensure that any custom adjustments to the quantity field are bounded by server‑side validation before processing payments.
  • If upgrading is not yet possible, implement a temporary server‑side script that checks the quantity value against a safe range (e.g., 1–10) before submitting the payment request.

Generated by OpenCVE AI on May 1, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27447 Improper Validation of Specified Quantity in Input vulnerability in ThemesGrove WP SmartPay. This issue affects WP SmartPay: from n/a through 2.7.13.
History

Wed, 29 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Validation of Specified Quantity in Input vulnerability in ThemesGrove WP SmartPay. This issue affects WP SmartPay: from n/a through 2.7.13. Improper Validation of Specified Quantity in Input vulnerability in Convers Lab WP SmartPay smartpay.This issue affects WP SmartPay: from n/a through <= 2.8.2.
Title WordPress Download Manager and Payment Form plugin <= 2.7.13 - Price Manipulation vulnerability WordPress Download Manager and Payment Form plugin <= 2.8.2 - Price Manipulation vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 09 Sep 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Sep 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Themesgrove
Themesgrove wp Smartpay
Wordpress
Wordpress wordpress
Vendors & Products Themesgrove
Themesgrove wp Smartpay
Wordpress
Wordpress wordpress

Tue, 09 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
Description Improper Validation of Specified Quantity in Input vulnerability in ThemesGrove WP SmartPay. This issue affects WP SmartPay: from n/a through 2.7.13.
Title WordPress Download Manager and Payment Form plugin <= 2.7.13 - Price Manipulation vulnerability
Weaknesses CWE-1284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Themesgrove Wp Smartpay
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:54.931Z

Reserved: 2025-04-09T11:21:30.217Z

Link: CVE-2025-32689

cve-icon Vulnrichment

Updated: 2025-09-09T17:49:33.700Z

cve-icon NVD

Status : Deferred

Published: 2025-09-09T17:15:43.433

Modified: 2026-04-29T10:16:46.417

Link: CVE-2025-32689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses