[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fi-GYHmRChr7-pbcvV0HMMvELqIjH-dr7l7tWd2f_xds":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-48868","simple-shopping-cart-unauthenticated-insecure-direct-object-reference","Simple Shopping Cart \u003C= 5.2.9 - Unauthenticated Insecure Direct Object Reference","The Simple Shopping Cart plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.2.9 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to perform an unauthorized action.","wordpress-simple-paypal-shopping-cart",null,"\u003C=5.2.9","5.3.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-06-02 00:00:00","2026-06-11 13:46:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F9d847027-0b22-4310-b60e-3bd2ad1940f5?source=api-prod",10,[22,23,24,25],"includes\u002Fclass-wpsc-cart.php","languages\u002Fwordpress-simple-paypal-shopping-cart.pot","readme.txt","wp_shopping_cart.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-48868\n\n## 1. Vulnerability Summary\nThe **Simple Shopping Cart** plugin (versions \u003C= 5.2.9) is vulnerable to an **Unauthenticated Insecure Direct Object Reference (IDOR)**. The vulnerability exists because certain AJAX handlers or request processors accept a user-controlled \"key\" (likely a `cart_id` or `order_id`) to identify a shopping cart session and perform actions on it (such as updating shipping\u002Ftax regions or resetting state) without verifying that the requester is the legitimate owner of that cart session (i.e., by checking against the `simple_cart_id` cookie).\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (AJAX) or any page containing the shopping cart shortcode (via `$_REQUEST` parameters).\n*   **Vulnerable Action:** `wpsc_shipping_region_selection` or `wpsc_tax_region_selection` (inferred from common patterns in this plugin's AJAX handlers).\n*   **Payload Parameter:** `cart_id` (the user-controlled key) and the action-specific data (e.g., `region`).\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** An active cart session must exist (identified by a `cart_id`).\n\n## 3. Code Flow\n1.  An attacker identifies a target `cart_id` (a `","The Simple Shopping Cart plugin is vulnerable to Unauthenticated Insecure Direct Object Reference (IDOR) because it identifies cart sessions using a predictable key generated with 'uniqid()' and lacks proper authorization checks when loading cart objects. Attackers can guess or identify active cart IDs to perform unauthorized actions such as modifying shipping\u002Ftax regions or resetting another user's cart state.","\u002F\u002F includes\u002Fclass-wpsc-cart.php\n\n\u002F\u002F Line 42: Constructor loads the cart object based solely on the cookie value without session validation.\nprivate function __construct() {\n    $this->cart_id = isset( $_COOKIE['simple_cart_id'] ) ? $_COOKIE['simple_cart_id'] : 0;\n\n    $cart_cpt_id = wpsc_get_cart_cpt_id_by_cart_id( $this->cart_id );\n    if ( ! empty( $cart_cpt_id ) ) {\n        \u002F\u002F Assign all previously saved properties of WPSC_Cart object.\n        $saved_wpsc_cart_object = $this->get_cart_from_postmeta( $cart_cpt_id );\n---\n\u002F\u002F Line 98: predictable ID generation for the cart session.\nif ( $cart_cpt_id ) {\n    \u002F\u002FSet the cookie with unique cart ID.\n    $cart_id           = uniqid();\n    $cookie_expiration = time() + ( 86400 * 30 ); \u002F\u002F 30 days\n    setcookie( 'simple_cart_id', $cart_id, $cookie_expiration, '\u002F' );","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwordpress-simple-paypal-shopping-cart\u002F5.2.9\u002Fincludes\u002Fclass-wpsc-cart.php\t2025-12-10 09:30:16.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwordpress-simple-paypal-shopping-cart\u002F5.3.0\u002Fincludes\u002Fclass-wpsc-cart.php\t2026-05-19 09:40:48.000000000 +0000\n@@ -95,7 +95,7 @@\n \n \t\tif ( $cart_cpt_id ) {\n \t\t\t\u002F\u002FSet the cookie with unique cart ID.\n-\t\t\t$cart_id           = uniqid();\n+\t\t\t$cart_id           = bin2hex(random_bytes(16));\n \t\t\t$cookie_expiration = time() + ( 86400 * 30 ); \u002F\u002F 30 days\n \t\t\tsetcookie( 'simple_cart_id', $cart_id, $cookie_expiration, '\u002F' );","The exploit targets the predictability of the 'simple_cart_id' and the lack of server-side ownership verification. \n1. Identify a target 'cart_id'. In vulnerable versions, these are generated via PHP's 'uniqid()', which is based on system time and can be predicted if the creation time is approximately known.\n2. An unauthenticated attacker crafts an AJAX request to 'wp-admin\u002Fadmin-ajax.php' with an action such as 'wpsc_shipping_region_selection' or 'wpsc_tax_region_selection'.\n3. By setting the 'simple_cart_id' cookie to the guessed or identified target ID, the plugin's 'WPSC_Cart' constructor will load the victim's cart object from the database ('wpsc_cart_orders' post type).\n4. The attacker can then modify the state of that cart (e.g., altering shipping\u002Ftax costs) or potentially interact with the order data, as the plugin fails to verify that the current visitor is the actual creator of that cart session.","gemini-3-flash-preview","2026-06-26 06:00:21","2026-06-26 06:01:57",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","5.2.9","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-simple-paypal-shopping-cart\u002Ftags\u002F5.2.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordpress-simple-paypal-shopping-cart.5.2.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-simple-paypal-shopping-cart\u002Ftags\u002F5.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordpress-simple-paypal-shopping-cart.5.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-simple-paypal-shopping-cart\u002Ftags"]