216.73.217.80

CVE-2025-3530

· Published 23/04/2025 08:15 · Modified 23/04/2025 14:08

Labels: CVE-2025-3530 2025-04-23CVE-2025-3530CWE-472[email protected]

Essential information

Published
23/04/2025 08:15
Modified
23/04/2025 14:08
Author
Creator
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS metrics

Description

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.

NVD status

Status
Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wordpress / simple shopping cart cpe:2.3:a:wordpress:simple_shopping_cart:*:*:*:*:*:wordpress:*:*

References