Description
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.
Published: 2025-04-23
Score: 7.5 High
EPSS: 1.2% Low
KEV: No
Impact: Unauthenticated Product Price Manipulation
Action: Upgrade Immediately
AI Analysis

Impact

The WordPress Simple PayPal Shopping Cart plugin contains a logic flaw that allows an unauthenticated attacker to modify the product price during the cart addition process. By supplying a cheaper product identifier for the security hash parameter while referencing a more expensive product in the display parameter, the attacker can trigger a payment for a higher‑priced item at a lower cost, resulting in financial loss for the site owner and compromising the integrity of the checkout process. The weakness is a missing assignment of an implicit default parameter value, which enables inconsistent behavior between verification and display logic.

Affected Systems

This vulnerability applies to WordPress sites that have the mra13 Simple PayPal Shopping Cart plugin installed at version 5.1.2 or earlier. Sites using any earlier release are also affected until they upgrade to a patched version.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating high severity, and an EPSS score of 1%, meaning exploitation is considered possible but currently unlikely, and it is not listed in CISA's KEV catalog. The attack can be performed by sending a crafted HTTP POST request to the cart endpoint with manipulated parameters; authentication is not required, so any visitor can exploit the flaw if the endpoint is publicly accessible.

Generated by OpenCVE AI on April 20, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WordPress Simple PayPal Shopping Cart plugin to the latest available version (5.1.3 or newer) where the price handling logic has been corrected.
  • If an upgrade cannot be performed immediately, modify the plugin’s wp_shopping_cart.php file to enforce that the same product identifier is used for both the price hash calculation and the displayed product, thereby preventing the mismatch that permits manipulation.
  • Restrict the cart addition endpoint so that it requires user authentication or a valid CSRF token before accepting product parameters; this reduces the risk that unauthenticated users can submit malicious requests.

Generated by OpenCVE AI on April 20, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12241 The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.
History

Wed, 23 Apr 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 23 Apr 2025 07:30:00 +0000

Type Values Removed Values Added
Description The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.
Title WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Product Price Manipulation
Weaknesses CWE-472
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:46.040Z

Reserved: 2025-04-11T22:18:57.487Z

Link: CVE-2025-3530

cve-icon Vulnrichment

Updated: 2025-04-23T16:31:01.691Z

cve-icon NVD

Status : Deferred

Published: 2025-04-23T08:15:14.723

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3530

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses