CVE-2025-3874: 
WordPress vulnerability analysis and mitigation

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference (IDOR) in all versions up to, and including, 5.1.3. The vulnerability exists due to lack of randomization of a user controlled key, which allows unauthenticated attackers to access customer shopping carts and edit product links, add or delete products, and discover coupon codes (NVD).

The vulnerability stems from improper access controls in the cart ID handling mechanism. The plugin uses a predictable cart ID stored in cookies that can be manipulated by attackers to access other users' cart data. The affected code is in the cart handling functions, particularly in class-wpsc-cart.php where cart IDs are managed. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) (NVD, Wiz).

The vulnerability allows unauthenticated attackers to: access other customers' shopping cart contents, modify product links in existing carts, add or remove products from other users' carts, and discover valid coupon codes being used in the system. This could lead to privacy breaches and potential manipulation of order details (NVD).

A patch has been released in version 5.1.4 of the WordPress Simple Shopping Cart plugin that implements proper randomization of cart IDs. Site administrators should update to the latest version immediately. Until the update can be applied, consider disabling the shopping cart functionality if possible (NVD).