WP-Safety

Simple Shopping Cart Security & Risk Analysis

wordpress.org/plugins/wordpress-simple-paypal-shopping-cart

Lightweight, user-friendly plugin to sell products/services on WordPress. Easily add a shopping cart and start accepting orders in minutes.

10K active installs v5.2.9 PHP 7.4+ WP 6.0+ Updated Apr 4, 2026
cartecommercesell-onlineshopshopping-cart
89
A · Safe
CVEs total11
Unpatched0
Last CVEApr 3, 2026
Plugin page Download
Safety Verdict

Is Simple Shopping Cart Safe to Use in 2026?

Generally Safe

Score 89/100

Simple Shopping Cart has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

11 known CVEsLast CVE: Apr 3, 2026Updated 1mo ago
Risk Assessment

The wordpress-simple-paypal-shopping-cart plugin, version 5.2.6, exhibits a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and a high percentage of properly escaped outputs, several areas raise concerns. The static analysis reveals a significant attack surface with 25 entry points, 6 of which lack authentication checks. This, combined with the presence of the `unserialize` function, could potentially lead to vulnerabilities if not handled with extreme care. Taint analysis did not reveal any critical or high severity flows, which is a positive sign, indicating that input sanitization for paths is effective.

The vulnerability history of this plugin is a significant red flag. With 10 known CVEs, including 2 high severity and 8 medium severity, it suggests a pattern of recurring security weaknesses. The types of past vulnerabilities, such as Authorization Bypass, External Control of Assumed-Immutable Web Parameter, and Cross-Site Scripting, are serious and common attack vectors. The most recent vulnerability dating to April 2025 indicates ongoing issues, despite being marked as currently unpatched. While the plugin has strengths in its SQL handling and output escaping, the large attack surface with unprotected entry points and the extensive history of serious vulnerabilities necessitate careful consideration and prompt patching.

In conclusion, while the plugin has some robust security implementations, the number of unprotected entry points and its history of high and medium severity vulnerabilities present a considerable risk. Users should be aware of the potential for exploitation due to the exposed attack surface and the plugin's past security incidents. It is crucial to ensure that all past vulnerabilities are patched and to closely monitor for any future security advisories.

Key Concerns

  • Unprotected AJAX handlers
  • Presence of 'unserialize' function
  • Significant number of known CVEs (10)
  • History of high severity vulnerabilities (2)
  • History of medium severity vulnerabilities (8)
  • Vulnerability dated 2025-04-30 22:01:39
Vulnerabilities
11 published

Simple Shopping Cart Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
1 CVE in 2022
2022
1 CVE in 2023
2023
2 CVEs in 2024
2024
5 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
9

11 total CVEs

CVE-2026-0552medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Shopping Cart <= 5.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsc_display_product' Shortcode

Apr 3, 2026 Patched in 5.2.5 (1d)
CVE-2025-3890medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Simple PayPal Shopping Cart <= 5.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Apr 30, 2025 Patched in 5.1.4 (1d)
CVE-2025-3889medium · 5.3Authorization Bypass Through User-Controlled Key

WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity'

Apr 30, 2025 Patched in 5.1.4 (1d)
CVE-2025-3874medium · 6.5Authorization Bypass Through User-Controlled Key

WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference

Apr 30, 2025 Patched in 5.1.4 (1d)
CVE-2025-3530high · 7.5External Control of Assumed-Immutable Web Parameter

WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Product Price Manipulation

Apr 22, 2025 Patched in 5.1.3 (1d)
CVE-2025-3529high · 8.2Insertion of Sensitive Information Into Sent Data

WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Information Exposure via file_url Parameter

Apr 22, 2025 Patched in 5.1.3 (1d)
CVE-2024-12622medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Simple Shopping Cart <= 5.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 23, 2024 Patched in 5.0.8 (1d)
CVE-2023-6497medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Simple Shopping Cart <= 4.7.1 - Authenticated(Administrator+) Stored Cross-Site Scripting

Jan 26, 2024 Patched in 4.7.2 (186d)
CVE-2023-1431medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

WP Simple Shopping Cart <= 4.6.3 - Information Disclosure

Mar 16, 2023 Patched in 4.6.4 (313d)
CVE-2022-4672medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Simple PayPal Shopping Cart <= 4.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 27, 2022 Patched in 4.6.2 (392d)
CVE-2013-2705medium · 4.7Cross-Site Request Forgery (CSRF)

WordPress Simple PayPal Shopping Cart < 3.6 - Cross-Site Request Forgery

Aug 1, 2014 Patched in 3.6 (3462d)
Version History

Simple Shopping Cart Release Timeline

v5.2.9Current
v5.2.8
v5.2.7
v5.2.6
v5.2.5
v5.2.41 CVE
CVE-2026-0552
v5.2.31 CVE
CVE-2026-0552
v5.2.21 CVE
CVE-2026-0552
v5.2.11 CVE
CVE-2026-0552
v5.2.01 CVE
CVE-2026-0552
v5.1.91 CVE
CVE-2026-0552
v5.1.81 CVE
CVE-2026-0552
v5.1.71 CVE
CVE-2026-0552
v5.1.61 CVE
CVE-2026-0552
v5.1.51 CVE
CVE-2026-0552
v5.1.41 CVE
CVE-2026-0552
v5.1.34 CVEs
CVE-2025-3889 CVE-2025-3874 CVE-2025-3890 +1 more
v5.1.26 CVEs
CVE-2025-3889 CVE-2025-3874 CVE-2025-3529 +3 more
v5.1.16 CVEs
CVE-2025-3889 CVE-2025-3874 CVE-2025-3529 +3 more
v5.1.06 CVEs
CVE-2025-3889 CVE-2025-3874 CVE-2025-3529 +3 more
Code Analysis
Analyzed Mar 16, 2026

Simple Shopping Cart Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
2 prepared
Unescaped Output
124
453 escaped
Nonce Checks
29
Capability Checks
15
File Operations
15
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserializereturn unserialize($serialized_cart_object); // Unserialize data to get the objectincludes\class-wpsc-cart.php:151

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared2 total queries

Output Escaping

79% escaped577 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

17 flows
show_wp_cart_adv_settings_page (includes\admin\wp_shopping_cart_menu_adv_settings.php:3)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Simple Shopping Cart Attack Surface

Entry Points25
Unprotected6

AJAX Handlers 12

authwp_ajax_wpsc_resend_sale_notification_emailincludes\admin\wp_shopping_cart_admin_ajax.php:7
authwp_ajax_wpsc_mark_order_confirmincludes\admin\wp_shopping_cart_admin_ajax.php:8
authwp_ajax_wpsc_feedback_notice_dismissincludes\admin\wp_shopping_cart_admin_user_feedback.php:23
authwp_ajax_wp_cart_get_tinymce_formincludes\admin\wp_shopping_cart_tinymce.php:14
authwp_ajax_wpsc_add_to_cartincludes\class-wpsc-cart-ajax-handler.php:7
noprivwp_ajax_wpsc_add_to_cartincludes\class-wpsc-cart-ajax-handler.php:8
authwp_ajax_wpsc_process_pp_smart_checkoutincludes\wpsc-misc-checkout-ajax-handler.php:4
noprivwp_ajax_wpsc_process_pp_smart_checkoutincludes\wpsc-misc-checkout-ajax-handler.php:5
authwp_ajax_wpsc_stripe_create_checkout_sessionincludes\wpsc-misc-checkout-ajax-handler.php:7
noprivwp_ajax_wpsc_stripe_create_checkout_sessionincludes\wpsc-misc-checkout-ajax-handler.php:8
authwp_ajax_wpsc_manual_payment_checkoutincludes\wpsc-misc-checkout-ajax-handler.php:10
noprivwp_ajax_wpsc_manual_payment_checkoutincludes\wpsc-misc-checkout-ajax-handler.php:11

Shortcodes 13

[wpsc_show_shopping_cart] wp_shopping_cart_shortcodes.php:6
[show_wp_shopping_cart] wp_shopping_cart_shortcodes.php:7
[wpsc_always_show_shopping_cart] wp_shopping_cart_shortcodes.php:9
[always_show_wp_shopping_cart] wp_shopping_cart_shortcodes.php:10
[wpsc_add_to_cart_button] wp_shopping_cart_shortcodes.php:12
[wp_cart_button] wp_shopping_cart_shortcodes.php:13
[wpsc_display_product] wp_shopping_cart_shortcodes.php:15
[wp_cart_display_product] wp_shopping_cart_shortcodes.php:16
[wpsc_compact_cart] wp_shopping_cart_shortcodes.php:18
[wp_compact_cart] wp_shopping_cart_shortcodes.php:19
[wpsc_compact_cart2] wp_shopping_cart_shortcodes.php:21
[wp_compact_cart2] wp_shopping_cart_shortcodes.php:22
[wpsc_thank_you] wp_shopping_cart_shortcodes.php:24
WordPress Hooks 38
actionadmin_noticesincludes\admin\wp_shopping_cart_admin_user_feedback.php:22
filterwp_default_editorincludes\admin\wp_shopping_cart_menu_email_settings.php:128
filterwp_default_editorincludes\admin\wp_shopping_cart_menu_email_settings.php:177
actionadmin_menuincludes\admin\wp_shopping_cart_menu_main.php:4
filteradmin_noticesincludes\admin\wp_shopping_cart_menu_main.php:135
filterwp_default_editorincludes\admin\wp_shopping_cart_menu_manual_checkout.php:191
filterwp_default_editorincludes\admin\wp_shopping_cart_menu_manual_checkout.php:250
actionsave_postincludes\admin\wp_shopping_cart_orders.php:6
filtermanage_edit-wpsc_cart_orders_columnsincludes\admin\wp_shopping_cart_orders.php:285
actionmanage_wpsc_cart_orders_posts_custom_columnincludes\admin\wp_shopping_cart_orders.php:302
filterpost_type_linkincludes\admin\wp_shopping_cart_orders.php:329
filterposts_joinincludes\admin\wp_shopping_cart_orders.php:338
filterposts_whereincludes\admin\wp_shopping_cart_orders.php:349
filterposts_distinctincludes\admin\wp_shopping_cart_orders.php:363
filtertitle_save_preincludes\admin\wp_shopping_cart_orders.php:375
actionadmin_print_scriptsincludes\admin\wp_shopping_cart_tinymce.php:13
filtermce_external_pluginsincludes\admin\wp_shopping_cart_tinymce.php:15
filtermce_buttonsincludes\admin\wp_shopping_cart_tinymce.php:16
actionwpsc_before_shopping_cart_renderincludes\class-wpsc-cart-ajax-handler.php:10
actionwp_footerincludes\class-wpsc-cart-ajax-handler.php:59
actioninitincludes\classes\class.wpsc_blocks.php:19
actionwp_footerincludes\wpsc-cart-functions.php:429
filterthe_contentincludes\wpsc-deprecated-functions.php:151
filterthe_contentincludes\wpsc-deprecated-functions.php:152
filterngg_render_templateincludes\wpsc-misc-functions.php:17
actionadmin_initincludes\wpsc-misc-functions.php:26
actionwp_footerincludes\wpsc-paypal-ppcp-checkout-form-related.php:69
actionwp_footerwp_shopping_cart.php:491
filterplugin_action_linkswp_shopping_cart.php:843
actioninitwp_shopping_cart.php:845
actionadmin_initwp_shopping_cart.php:846
actionplugins_loadedwp_shopping_cart.php:847
actionwp_headwp_shopping_cart.php:849
actionwp_enqueue_scriptswp_shopping_cart.php:850
actionadmin_enqueue_scriptswp_shopping_cart.php:851
actionadmin_print_styleswp_shopping_cart.php:852
actionwpwp_shopping_cart.php:854
filterwidget_textwp_shopping_cart_shortcodes.php:27
Maintenance & Trust

Simple Shopping Cart Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 4, 2026
PHP min version7.4
Downloads2.0M

Community Trust

Rating92/100
Number of ratings215
Active installs10K
Alternatives

Simple Shopping Cart Alternatives

WooCommerce

WooCommerce

woocommerce

A
87

Everything you need to launch an online store in days and keep it growing for years. From your first sale to millions in revenue, Woo is with you.

7.0M 43 CVEs
CT Commerce Lite 🛒 | Fast & Flexible WordPress eCommerce Plugin

CT Commerce Lite 🛒 | Fast & Flexible WordPress eCommerce Plugin

ctc-lite

A
100

CT Commerce Lite** is an ultra-lightweight, block-based eCommerce plugin for WordPress

200 No CVEs
Buy One Get One Free for WooCommerce

Buy One Get One Free for WooCommerce

buy-one-get-one-free-for-woocommerce

A
85

Completely free and simple plugin to add buy one get one free offers to WooCommerce. No ads, no upsells.

10 No CVEs
Secudeal Payments for Ecommerce

Secudeal Payments for Ecommerce

secudeal-payments-for-ecommerce

C
60

Official WooCommerce Payment gateway for the SECUDEAL payment solution dedicated to marketplaces.

10 1 unpatched
UNIVERSAM

UNIVERSAM

universam-demo

B
74

Платформа для сайта и бизнеса «УНИВЕРСАМ» c CRM. Множество цен, любые программы лояльности. 1С, парсинг, SEO, рассылка, конструктор рассылок.

10 1 unpatched
Developer Profile

Simple Shopping Cart Developer Profile

mra13

15 plugins · 210K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
616 days
View full developer profile
Detection Fingerprints

How We Detect Simple Shopping Cart

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wordpress-simple-paypal-shopping-cart/cart.css/wp-content/plugins/wordpress-simple-paypal-shopping-cart/cart.js/wp-content/plugins/wordpress-simple-paypal-shopping-cart/cart-styles.css
Generator Patterns
Simple Shopping Cart – Lightweight, user-friendly plugin to sell products/services on WordPress. Easily add a shopping cart and start accepting orders in minutes.
Script Paths
/wp-content/plugins/wordpress-simple-paypal-shopping-cart/cart.js
Version Parameters
wordpress-simple-paypal-shopping-cart/cart.css?ver=wordpress-simple-paypal-shopping-cart/cart.js?ver=wordpress-simple-paypal-shopping-cart/cart-styles.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpsc_checkout_formwpsc-cart-item-pricewpsc-cart-item-quantitywpsc-cart-item-namewpsc_empty_cartwspsc-cart-totalwspsc-cart-subtotalwpsc_product_cart_item
HTML Comments
<!-- WPSC shortcode [wp_shopping_cart] output starts here --><!-- WPSC shortcode [wp_show_cart] output starts here -->
Data Attributes
data-product-namedata-product-pricedata-product-quantitydata-product-id
JS Globals
wpsc_cart_ajax_object
Shortcode Output
<form action="" method="post" class="wpsc_checkout_form"><div class="wpsc_empty_cart">
FAQ

Frequently Asked Questions about Simple Shopping Cart