Simple Shopping Cart <= 5.2.9 - Unauthenticated Insecure Direct Object Reference
Description
The Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.2.9 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=5.2.9What Changed in the Fix
Changes introduced in v5.3.0
Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2026-48868 ## 1. Vulnerability Summary The **Simple Shopping Cart** plugin (versions <= 5.2.9) is vulnerable to an **Unauthenticated Insecure Direct Object Reference (IDOR)**. The vulnerability exists because certain AJAX handlers or request processors accept a us…
Show full research plan
Exploitation Research Plan - CVE-2026-48868
1. Vulnerability Summary
The Simple Shopping Cart plugin (versions <= 5.2.9) is vulnerable to an Unauthenticated Insecure Direct Object Reference (IDOR). The vulnerability exists because certain AJAX handlers or request processors accept a user-controlled "key" (likely a cart_id or order_id) to identify a shopping cart session and perform actions on it (such as updating shipping/tax regions or resetting state) without verifying that the requester is the legitimate owner of that cart session (i.e., by checking against the simple_cart_id cookie).
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.php(AJAX) or any page containing the shopping cart shortcode (via$_REQUESTparameters). - Vulnerable Action:
wpsc_shipping_region_selectionorwpsc_tax_region_selection(inferred from common patterns in this plugin's AJAX handlers). - Payload Parameter:
cart_id(the user-controlled key) and the action-specific data (e.g.,region). - Authentication: None required (unauthenticated).
- Preconditions: An active cart session must exist (identified by a
cart_id).
3. Code Flow
- An attacker identifies a target
cart_id(a `
Summary
The Simple Shopping Cart plugin is vulnerable to Unauthenticated Insecure Direct Object Reference (IDOR) because it identifies cart sessions using a predictable key generated with 'uniqid()' and lacks proper authorization checks when loading cart objects. Attackers can guess or identify active cart IDs to perform unauthorized actions such as modifying shipping/tax regions or resetting another user's cart state.
Vulnerable Code
// includes/class-wpsc-cart.php // Line 42: Constructor loads the cart object based solely on the cookie value without session validation. private function __construct() { $this->cart_id = isset( $_COOKIE['simple_cart_id'] ) ? $_COOKIE['simple_cart_id'] : 0; $cart_cpt_id = wpsc_get_cart_cpt_id_by_cart_id( $this->cart_id ); if ( ! empty( $cart_cpt_id ) ) { // Assign all previously saved properties of WPSC_Cart object. $saved_wpsc_cart_object = $this->get_cart_from_postmeta( $cart_cpt_id ); --- // Line 98: predictable ID generation for the cart session. if ( $cart_cpt_id ) { //Set the cookie with unique cart ID. $cart_id = uniqid(); $cookie_expiration = time() + ( 86400 * 30 ); // 30 days setcookie( 'simple_cart_id', $cart_id, $cookie_expiration, '/' );
Security Fix
@@ -95,7 +95,7 @@ if ( $cart_cpt_id ) { //Set the cookie with unique cart ID. - $cart_id = uniqid(); + $cart_id = bin2hex(random_bytes(16)); $cookie_expiration = time() + ( 86400 * 30 ); // 30 days setcookie( 'simple_cart_id', $cart_id, $cookie_expiration, '/' );
Exploit Outline
The exploit targets the predictability of the 'simple_cart_id' and the lack of server-side ownership verification. 1. Identify a target 'cart_id'. In vulnerable versions, these are generated via PHP's 'uniqid()', which is based on system time and can be predicted if the creation time is approximately known. 2. An unauthenticated attacker crafts an AJAX request to 'wp-admin/admin-ajax.php' with an action such as 'wpsc_shipping_region_selection' or 'wpsc_tax_region_selection'. 3. By setting the 'simple_cart_id' cookie to the guessed or identified target ID, the plugin's 'WPSC_Cart' constructor will load the victim's cart object from the database ('wpsc_cart_orders' post type). 4. The attacker can then modify the state of that cart (e.g., altering shipping/tax costs) or potentially interact with the order data, as the plugin fails to verify that the current visitor is the actual creator of that cart session.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.