CVE-2025-3530 HIGH

CVE-2025-3530: WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Product Price Manipulation

Vendor Mra13
Product Simple Shopping Cart
Weakness CWE-472
Published April 23, 2025
Last update April 8, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.

Explanation of Vulnerability in Simple Terms

02Summary

Simple Shopping Cart versions 5.1.2 and earlier contain an integrity vulnerability allowing attackers to modify data without authentication. The vulnerability requires only network access and no user interaction. An attacker can alter shopping cart data, product information, or transaction records, potentially affecting order accuracy and customer trust.

What an attacker can do

03Attacker Capabilities

Modify shopping cart data, product information, or transaction records without authentication.

Potential impact on your site

04Site Impact

Orders, prices, and cart contents can be altered by attackers, leading to incorrect transactions and data corruption.

Conditions required to exploit

05Prerequisites

Network access to the affected Simple Shopping Cart installation; no authentication required.

Key dates

06Disclosure timeline

April 23, 2025 CVE published
April 8, 2026 Record updated