Analysis Summary

CVE-2025-3890 CVSS:6.4

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_cart_button' shortcode in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2025-3889 CVSS:5.3

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 via the 'process_payment_data' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to change the quantity of a product to a negative number, which subtracts the product cost from the total order cost. The attack will only work with Manual Checkout mode, as PayPal and Stripe will not process.

CVE-2025-3874 CVSS:6.5

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.3 due to lack of randomization of a user controlled key. This makes it possible for unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes.

Impact

• Gain Access
• Cross-site Scripting

Indicators of Compromise

CVE

• CVE-2025-3890

• CVE-2025-3889

• CVE-2025-3874

Affected Vendors

Remediation

Upgrade to the latest version for WordPress, available from the WordPress Plugin Directory.

CVE-2025-3890

CVE-2025-3889

CVE-2025-3874