Impact
An unauthenticated attacker can exploit insecure direct object references in versions of the Simple Shopping Cart plugin up to 5.2.9. By manipulating URL parameters or guessing numeric identifiers, the attacker can retrieve or modify data intended for authorized users, such as order details, customer addresses, or administrative settings. This unauthorized access can lead to confidentiality loss and allow the attacker to tamper with the shopping cart’s state, potentially enabling fraudulent transactions or disrupting availability. The weakness is representative of improper authorization (CWE-639).
Affected Systems
Deployments of the WordPress Simple Shopping Cart plugin by mra13/Team Tips and Tricks HQ running any version 5.2.9 or earlier are affected. The vendor recommends upgrading the plugin to version 5.3.0 or later, which addresses the IDOR issue. No other vendor products are listed. Even a single installation of the vulnerable plugin introduces risk to a site’s WordPress environment.
Risk and Exploitability
With a CVSS score of 7.5 the vulnerability is assessed as high severity. The EPSS value is below 1 percent, indicating that current historical exploitation data and analyst models predict low exploitation likelihood. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the likely attack vector is direct HTTP requests to the plugin’s endpoints that expose object identifiers without authentication, making the barrier to exploitation low; the primary exploitation path therefore relies on direct HTTP requests to URLs that expose object identifiers. As long as a publicly accessible WordPress installation contains the vulnerable plugin, the attack vector remains viable.
OpenCVE Enrichment