CVE-2025-3743

Name of the Vulnerable Software and Affected Versions The Upsell Funnel Builder for WooCommerce plugin for WordPress versions up to, and including, 3.0.0

Description The issue allows unauthenticated attackers to manipulate orders by updating the product associated with any order bump and the discount applied to any order bump item when adding it to the cart. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the add offer in cart function.

Recommendations For versions up to, and including, 3.0.0, update to a version higher than 3.0.0 to resolve the issue. As a temporary workaround, consider restricting access to the add offer in cart function to prevent unauthenticated attackers from manipulating orders.