CVE-2025-3530: 
WordPress vulnerability analysis and mitigation

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This vulnerability was discovered and disclosed on April 23, 2025. The plugin is used for implementing shopping cart functionality in WordPress sites (NVD).

The vulnerability stems from a logic flaw involving inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'producttmptwo' for computing a security hash against price tampering while using 'wspsc_product' to display the product. This inconsistency in parameter handling creates a security bypass vulnerability. The issue has been assigned a CVSS v3.1 Base Score of 7.5 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (Wordfence).

An unauthenticated attacker can exploit this vulnerability to substitute details from a cheaper product and bypass payment for a more expensive item, potentially leading to financial losses for merchants using this plugin (NVD).

Site administrators using the WordPress Simple Shopping Cart plugin should update to a version newer than 5.1.2 when available. Until a patch is released, consider implementing additional server-side validation of prices or temporarily disabling the plugin if the risk is deemed too high (NVD).