Cyber Resilience

CVE-2025-3530

High

Published: 23 April 2025

Published
23 April 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0014 34.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-3530 is a high-severity External Control of Assumed-Immutable Web Parameter (CWE-472) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Deeper analysis

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to and including 5.1.2. The flaw stems from inconsistent parameter handling during cart addition, where the plugin computes a security hash using the 'product_tmp_two' parameter but displays product details via 'wspsc_product', enabling tampering that bypasses intended price validation. This is tracked as CWE-472 with a CVSS 3.1 score of 7.5.

An unauthenticated attacker can exploit the issue over the network by substituting details from a lower-priced product into the cart process, allowing them to purchase higher-value items without paying the correct amount and achieving integrity impact without requiring user interaction or privileges.

The referenced changeset on the WordPress plugin trac indicates that a fix has been applied in a subsequent release, so site administrators should update the plugin to a version beyond 5.1.2 to address the parameter inconsistency.

EPSS for this CVE rose from a low baseline to a peak of 0.0118 on 2026-02-17 before receding to the current value of 0.0014, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process.…

more

The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References