CVE-2025-3743: 
WordPress vulnerability analysis and mitigation

The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This vulnerability was discovered and disclosed on April 25, 2025. The vulnerability affects the plugin's 'addofferin_cart' function, which allows the additional product ID and discount field to be manipulated prior to processing (NVD).

The vulnerability exists due to insufficient input validation in the plugin's 'addofferin_cart' function. The plugin allows unauthenticated attackers to arbitrarily update both the product associated with any order bump and the discount applied to any order bump item when adding it to the cart. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The vulnerability is classified under CWE-472 (External Control of Assumed-Immutable Web Parameter) (NVD).

This vulnerability allows unauthenticated attackers to manipulate order details by modifying the product ID and discount values associated with order bumps. This could potentially lead to unauthorized price modifications and product substitutions in the shopping cart, affecting the integrity of e-commerce transactions (NVD).

The vulnerability has been identified in versions up to and including 3.0.0. Website administrators should update to version 3.0.1 or later when available. Until then, careful monitoring of order transactions and implementing additional server-side validation could help mitigate potential exploits (NVD).