What the vulnerability does
01Description
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the 'file_url' parameter. This makes it possible for unauthenticated attackers to view potentially sensitive information and download a digital product without paying for it.
Explanation of Vulnerability in Simple Terms
02Summary
Simple Shopping Cart versions 5.1.2 and earlier contain an information disclosure vulnerability combined with a data modification flaw. An attacker on the network can read sensitive information and alter data without authentication. The vulnerability requires no user interaction and affects the integrity and confidentiality of the shopping cart system.
What an attacker can do
03Attacker Capabilities
Read sensitive information and modify data in the shopping cart without logging in.
Potential impact on your site
04Site Impact
Customer data and cart contents can be viewed and altered by unauthorized users, risking fraud and data loss.
Conditions required to exploit
05Prerequisites
Network access to the affected Simple Shopping Cart installation; no authentication required.
Key dates
06Disclosure timeline
April 23, 2025
CVE published
April 8, 2026
Record updated