CVE-2025-3529 HIGH

CVE-2025-3529: WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Information Exposure via file_url Parameter

Vendor Mra13
Product Simple Shopping Cart
Weakness CWE-201
Published April 23, 2025
Last update April 8, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

What the vulnerability does

01Description

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the 'file_url' parameter. This makes it possible for unauthenticated attackers to view potentially sensitive information and download a digital product without paying for it.

Explanation of Vulnerability in Simple Terms

02Summary

Simple Shopping Cart versions 5.1.2 and earlier contain an information disclosure vulnerability combined with a data modification flaw. An attacker on the network can read sensitive information and alter data without authentication. The vulnerability requires no user interaction and affects the integrity and confidentiality of the shopping cart system.

What an attacker can do

03Attacker Capabilities

Read sensitive information and modify data in the shopping cart without logging in.

Potential impact on your site

04Site Impact

Customer data and cart contents can be viewed and altered by unauthorized users, risking fraud and data loss.

Conditions required to exploit

05Prerequisites

Network access to the affected Simple Shopping Cart installation; no authentication required.

Key dates

06Disclosure timeline

April 23, 2025 CVE published
April 8, 2026 Record updated