CVE-2025-3530: CWE-472 External Control of Assumed-Immutable Web Parameter in mra13 Simple Shopping Cart
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.
AI Analysis
Technical Summary
CVE-2025-3530 affects the mra13 Simple Shopping Cart WordPress plugin through a logic flaw involving external control of assumed-immutable web parameters (CWE-472). The plugin inconsistently uses the 'product_tmp_two' parameter for security hash computation against price tampering, while the 'wspsc_product' parameter is used for displaying product information. This discrepancy allows an unauthenticated attacker to manipulate the cart by substituting a cheaper product's details, effectively bypassing payment for more expensive items. The vulnerability impacts all versions up to and including 5.1.2. No patch or official fix information is provided in the data.
Potential Impact
Successful exploitation allows an unauthenticated attacker to manipulate product prices in the shopping cart, potentially bypassing payment for higher-priced items. This leads to integrity issues in transaction processing and financial loss for merchants using the affected plugin. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor the vendor's communications for updates. Until a fix is available, consider disabling the plugin or restricting its use to trusted users only to mitigate risk. Avoid relying on the plugin for critical payment processing without additional validation controls.
CVE-2025-3530: CWE-472 External Control of Assumed-Immutable Web Parameter in mra13 Simple Shopping Cart
Description
The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-3530 affects the mra13 Simple Shopping Cart WordPress plugin through a logic flaw involving external control of assumed-immutable web parameters (CWE-472). The plugin inconsistently uses the 'product_tmp_two' parameter for security hash computation against price tampering, while the 'wspsc_product' parameter is used for displaying product information. This discrepancy allows an unauthenticated attacker to manipulate the cart by substituting a cheaper product's details, effectively bypassing payment for more expensive items. The vulnerability impacts all versions up to and including 5.1.2. No patch or official fix information is provided in the data.
Potential Impact
Successful exploitation allows an unauthenticated attacker to manipulate product prices in the shopping cart, potentially bypassing payment for higher-priced items. This leads to integrity issues in transaction processing and financial loss for merchants using the affected plugin. There is no indication of confidentiality or availability impact. No known exploits in the wild have been reported as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor the vendor's communications for updates. Until a fix is available, consider disabling the plugin or restricting its use to trusted users only to mitigate risk. Avoid relying on the plugin for critical payment processing without additional validation controls.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-04-11T22:18:57.487Z
- Cisa Enriched
- true
Threat ID: 682d9846c4522896dcbf50b0
Added to database: 5/21/2025, 9:09:26 AM
Last enriched: 4/9/2026, 10:14:28 AM
Last updated: 5/8/2026, 10:53:07 PM
Views: 111
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.