Description
Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can exploit insecure direct object references in versions of the Simple Shopping Cart plugin up to 5.2.9. By manipulating URL parameters or guessing numeric identifiers, the attacker can retrieve or modify data intended for authorized users, such as order details, customer addresses, or administrative settings. This unauthorized access can lead to confidentiality loss and allow the attacker to tamper with the shopping cart’s state, potentially enabling fraudulent transactions or disrupting availability. The weakness is representative of improper authorization (CWE-639).

Affected Systems

Deployments of the WordPress Simple Shopping Cart plugin by mra13/Team Tips and Tricks HQ running any version 5.2.9 or earlier are affected. The vendor recommends upgrading the plugin to version 5.3.0 or later, which addresses the IDOR issue. No other vendor products are listed. Even a single installation of the vulnerable plugin introduces risk to a site’s WordPress environment.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is assessed as high severity. The EPSS value is below 1 percent, indicating that current historical exploitation data and analyst models predict low exploitation likelihood. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the likely attack vector is direct HTTP requests to the plugin’s endpoints that expose object identifiers without authentication, making the barrier to exploitation low; the primary exploitation path therefore relies on direct HTTP requests to URLs that expose object identifiers. As long as a publicly accessible WordPress installation contains the vulnerable plugin, the attack vector remains viable.

Generated by OpenCVE AI on June 18, 2026 at 00:38 UTC.

Remediation

Vendor Solution

Update the WordPress Simple Shopping Cart Plugin to the latest available version (at least 5.3.0).


OpenCVE Recommended Actions

  • Update the WordPress Simple Shopping Cart plugin to version 5.3.0 or later
  • If the plugin cannot be updated immediately, remove the files that expose the vulnerable endpoints so that direct object references are no longer accessible
  • Restrict all HTTP requests to the plugin’s administrative URLs to authenticated users by configuring web server rules or security plug‑ins
  • Ensure that WordPress user roles and permissions enforce least privilege, preventing lower‑privilege accounts from accessing order or customer data

Generated by OpenCVE AI on June 18, 2026 at 00:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Mra13 / Team Tips And Tricks Hq
Mra13 / Team Tips And Tricks Hq simple Shopping Cart
Wordpress
Wordpress wordpress
Vendors & Products Mra13 / Team Tips And Tricks Hq
Mra13 / Team Tips And Tricks Hq simple Shopping Cart
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions.
Title WordPress Simple Shopping Cart plugin <= 5.2.9 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Mra13 / Team Tips And Tricks Hq Simple Shopping Cart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:25:36.274Z

Reserved: 2026-05-25T22:10:00.865Z

Link: CVE-2026-48868

cve-icon Vulnrichment

Updated: 2026-06-16T12:25:32.281Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:16.323

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-48868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:06:57Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key