CVE-2024-12253 MEDIUM

CVE-2024-12253: Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal <= 3.1.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update / Data Access

Vendor Nshowketgmailcom
Product Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal
Weakness CWE-862 · Missing authorization
Published December 7, 2024
Last update April 8, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

The Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'save_settings', 'export_csv', and 'simpleecommcart-action' actions in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update the plugins settings and retrieve order and log data (which is also accessible to unauthenticated users).

Key dates

02Disclosure timeline

December 7, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE