CVE-2025-3851: 
WordPress vulnerability analysis and mitigation

The WP SmartPay plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CVE-2025-3851) affecting versions 1.1.0 through 2.7.13. The vulnerability was discovered and disclosed on May 6, 2025, and is present in the show() function of the plugin. This security flaw affects the Download Manager and Payment Form functionality of the WordPress plugin (NVD).

The vulnerability stems from missing validation on a user-controlled key in the show() function within the CustomerController.php file. The issue has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD, WordPress Source).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to view other users' sensitive information, including email addresses, names, and notes. This unauthorized access to personal data represents a significant privacy concern for WordPress sites using the affected plugin versions (NVD).

Site administrators running affected versions of the WP SmartPay plugin (versions 1.1.0 to 2.7.13) should update to the latest version when available. Until a patch is released, it is recommended to restrict user roles and access to the minimum required levels (NVD).