The Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal for WordPress suffers from a missing authorization vulnerability identified as CVE-2024-12253 (CWE-862). This vulnerability exists because the plugin fails to perform proper capability checks on several critical actions, including 'save_settings', 'export_csv', and 'simpleecommcart-action'. As a result, any authenticated user with subscriber-level privileges or higher can exploit these actions to update plugin settings and retrieve sensitive order and log data. Notably, some order and log data is also accessible to unauthenticated users, increasing the risk of information leakage. The vulnerability affects all plugin versions up to and including 3.1.2. The CVSS 3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, and requiring low privileges but no user interaction. Although no public exploits have been reported, the vulnerability could be leveraged by attackers who have gained low-level access to WordPress sites to escalate their privileges within the plugin context, potentially leading to data exposure and unauthorized configuration changes. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps.

This vulnerability can have significant impacts on organizations using the affected plugin. Unauthorized modification of plugin settings could disrupt ecommerce operations, potentially affecting payment processing or product listings. Exposure of order and log data risks leaking sensitive customer information, which could lead to privacy violations, regulatory non-compliance, and reputational damage. Since the vulnerability can be exploited by users with minimal privileges, attackers who compromise low-level accounts can escalate their access to sensitive ecommerce data. This could facilitate further attacks such as fraud, data theft, or manipulation of sales records. The partial exposure of data to unauthenticated users further increases the risk of information disclosure. Organizations relying on this plugin for online sales may face operational disruptions, customer trust erosion, and potential financial losses if the vulnerability is exploited.

Organizations should immediately audit their WordPress sites to identify installations of the Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal. Until an official patch is released, administrators should restrict subscriber-level access and review user roles to minimize exposure. Implementing strict access controls and monitoring for unusual activity related to plugin settings changes or data exports is critical. Consider temporarily disabling the plugin if feasible or replacing it with a more secure alternative. Web application firewalls (WAFs) can be configured to detect and block suspicious requests targeting the vulnerable plugin actions. Regular backups of ecommerce data and logs should be maintained to enable recovery in case of compromise. Finally, stay informed about vendor updates and apply patches promptly once available.