Description
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the quantity of a product to a negative number, which subtracts the product cost from the total order cost. The attack will only work with Manual Checkout mode, as PayPal and Stripe will not process payments for a negative quantity.
Published: 2025-05-01
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized quantity manipulation resulting in negative order totals
Action: Immediate Patch
AI Analysis

Impact

The WordPress Simple Shopping Cart plugin permits an unauthenticated attacker to alter the 'quantity' parameter in the process_payment_data request. This missing validation allows setting a negative quantity, which reduces the total order cost by the product amount. The flaw does not affect PayPal or Stripe processing, but it is exploitable when the site uses Manual Checkout, enabling the attacker to obtain refunds or fake lower charges.

Affected Systems

All installations of the WordPress Simple Shopping Cart plugin up to and including version 5.1.3 on WordPress sites. The affected component is the process_payment_data handler within the plugin. Users of older versions that still allow manual processing are at risk.

Risk and Exploitability

The CVSS base score is 5.3, indicating a moderate severity. The EPSS score is below 1 %, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. However, because the attacker only needs to submit a crafted request and no privileged credentials are required, the attack could be automated if a manual checkout path is enabled. The impact on confidentiality is negligible, but integrity is compromised as an attacker can artificially lower transaction amounts, potentially leading to financial loss or unauthorized refunds.

Generated by OpenCVE AI on April 22, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Simple Shopping Cart plugin to the latest available version that removes the vulnerability.
  • If an immediate upgrade is not possible, disable the Manual Checkout mode so that PayPal or Stripe processing blocks negative quantities.
  • Review recent orders for negative totals and issue refunds or corrections as needed.

Generated by OpenCVE AI on April 22, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15023 The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the quantity of a product to a negative number, which subtracts the product cost from the total order cost. The attack will only work with Manual Checkout mode, as PayPal and Stripe will not process payments for a negative quantity.
History

Tue, 06 May 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Tipsandtricks-hq
Tipsandtricks-hq wordpress Simple Paypal Shopping Cart
CPEs cpe:2.3:a:tipsandtricks-hq:wordpress_simple_paypal_shopping_cart:*:*:*:*:*:wordpress:*:*
Vendors & Products Tipsandtricks-hq
Tipsandtricks-hq wordpress Simple Paypal Shopping Cart

Thu, 01 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 01 May 2025 11:30:00 +0000

Type Values Removed Values Added
Description The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the quantity of a product to a negative number, which subtracts the product cost from the total order cost. The attack will only work with Manual Checkout mode, as PayPal and Stripe will not process payments for a negative quantity.
Title WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Tipsandtricks-hq Wordpress Simple Paypal Shopping Cart
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:48:35.209Z

Reserved: 2025-04-22T23:10:04.442Z

Link: CVE-2025-3889

cve-icon Vulnrichment

Updated: 2025-05-01T13:49:23.767Z

cve-icon NVD

Status : Analyzed

Published: 2025-05-01T12:15:17.630

Modified: 2025-05-06T15:39:43.323

Link: CVE-2025-3889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:45:05Z

Weaknesses