CVE-2025-3743 - Vulnerability Details

- Upsell Funnel Builder for WooCommerce <= 3.0.0 - Unauthenticated Order Manipulation

Description

The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the 'add_offer_in_cart' function. This makes it possible for unauthenticated attackers to arbitrarily update the product associated with any order bump, and arbitrarily update the discount applied to any order bump item, when adding it to the cart.

Published: 2025-04-25

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Upsell Funnel Builder for WooCommerce plugin has been found to allow unauthenticated order manipulation in all versions up to 3.0.0. By tampering with the additional product ID and discount value before they are processed in the add_offer_in_cart function, an attacker can arbitrarily change the product associated with any order bump and the discount applied to it. This flaw enables unauthorized modification of cart contents and pricing, which can lead to financial loss by altering purchase totals or providing free or discounted goods.

Affected Systems

The vulnerability affects the WPSWings Upsell Funnel Builder for WooCommerce plugin for WordPress in all releases up to and including version 3.0.0. Any site running these versions of the plugin is at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score is below 1%, suggesting a low probability of exploitation. Since the vulnerability is not listed in the CISA KEV catalog, it currently has no known widespread exploitation. The likely attack vector is unauthenticated remote access through the public checkout flow, where an attacker can send crafted requests to the plugin's add_offer_in_cart endpoint. If the attacker succeeds, they can set arbitrary product IDs and discount values for order bump items, potentially altering order totals and revenue.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

wpswings

Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups.

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.0.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Upsell Funnel Builder for WooCommerce plugin to the latest version that removes the flaw.
If an upgrade is not feasible, either disable the add_offer_in_cart functionality or uninstall the plugin entirely to eliminate the vulnerability.
Apply a web application firewall rule or configure WooCommerce to restrict unauthenticated users from accessing order modification endpoints.
Implement server-side validation to verify that product IDs and discount amounts are legitimate before applying them to the cart.

Generated by OpenCVE AI on April 20, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-12388	The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the 'add_offer_in_cart' function. This makes it possible for unauthenticated attackers to arbitrarily update the product associated with any order bump, and arbitrarily update the discount applied to any order bump item, when adding it to the cart.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00759.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.php#L1771
https://plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.php#L1773
https://plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.php#L1818
https://plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.php#L1829
https://plugins.trac.wordpress.org/changeset/3279944/
https://www.wordfence.com/threat-intel/vulnerabilities/id/b0e1546b-c8cc-4d57-9909-153209e3a9c6?source=cve

History

Fri, 25 Apr 2025 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 25 Apr 2025 07:00:00 +0000

Type	Values Removed	Values Added
Description		The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the 'add_offer_in_cart' function. This makes it possible for unauthenticated attackers to arbitrarily update the product associated with any order bump, and arbitrarily update the discount applied to any order bump item, when adding it to the cart.
Title		Upsell Funnel Builder for WooCommerce <= 3.0.0 - Unauthenticated Order Manipulation
Weaknesses		CWE-472
References		https://plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.php#L1771 https://plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.php#L1773 https://plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.php#L1818 https://plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.php#L1829 https://plugins.trac.wordpress.org/changeset/3279944/ https://www.wordfence.com/threat-intel/vulnerabilities/id/b0e1546b-c8cc-4d57-9909-153209e3a9c6?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-04-25T06:45:29.320Z

Updated: 2026-04-08T17:16:03.915Z

Reserved: 2025-04-16T17:46:38.616Z

Link: CVE-2025-3743

Vulnrichment

Updated: 2025-04-25T14:29:46.942Z

NVD

Status : Deferred

Published: 2025-04-25T07:15:47.980

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3743

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T23:15:06Z

Weaknesses

CWE-472

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object