CVE-2025-3743 MEDIUM

CVE-2025-3743: Upsell Funnel Builder for WooCommerce <= 3.0.0 - Unauthenticated Order Manipulation

Vendor Wpswings
Product Upsell Funnel Builder for WooCommerce – Create Upsells, Cross-Sells, Order Bumps, Frequently Bought, and Popups.
Weakness CWE-472
Published April 25, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the 'add_offer_in_cart' function. This makes it possible for unauthenticated attackers to arbitrarily update the product associated with any order bump, and arbitrarily update the discount applied to any order bump item, when adding it to the cart.

Explanation of Vulnerability in Simple Terms

02Summary

The Upsell Funnel Builder for WooCommerce plugin through version 3.0.0 contains an integrity vulnerability that allows unauthenticated attackers to modify data via the network. No user interaction is required. The vulnerability does not affect data confidentiality or site availability. Site administrators should update to a version newer than 3.0.0.

What an attacker can do

03Attacker Capabilities

Modify data on the site without authentication or user interaction.

Potential impact on your site

04Site Impact

Attackers can alter plugin data or settings without logging in, potentially affecting upsells, cross-sells, and order bump configurations.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user action required.

Key dates

06Disclosure timeline

April 25, 2025 CVE published
April 8, 2026 Record updated