CVE-2023-1431

Name of the Vulnerable Software and Affected Versions WP Simple Shopping Cart plugin for WordPress versions up to, and including, 4.6.3

Description The issue allows unauthenticated attackers to view sensitive information that should be limited to administrators only. This information can include first name, last name, email, address, IP Address, and more. The problem arises because the plugin saves shopping cart data exports in a publicly accessible location, specifically at the /wp-content/plugins/wordpress-simple-paypal-shopping-cart/includes/admin/ endpoint.

Recommendations For WP Simple Shopping Cart plugin for WordPress versions up to, and including, 4.6.3, consider restricting access to the /wp-content/plugins/wordpress-simple-paypal-shopping-cart/includes/admin/ endpoint until a patch is available. As a temporary workaround, avoid using the plugin's data export feature to minimize the risk of sensitive information exposure. Update to a version later than 4.6.3 when available.