CVE-2025-3889

Name of the Vulnerable Software and Affected Versions WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3

Description The issue allows unauthenticated attackers to manipulate the quantity of a product to a negative number, effectively subtracting the product cost from the total order cost. This is possible due to missing validation on a user-controlled key in the process payment data function. The attack is limited to Manual Checkout mode, as payment processors like PayPal and Stripe do not process payments for negative quantities.

Recommendations For WordPress Simple Shopping Cart plugin versions up to, and including, 5.1.3, consider disabling the Manual Checkout mode until a patch is available to prevent exploitation. Additionally, restrict access to the process payment data function to minimize the risk of negative quantity manipulation.