WordPress Simple Shopping Cart Insecure Direct Object Reference Vulnerability Allowing Quantity Manipulation

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the WordPress Simple Shopping Cart plugin, affecting all versions through 5.1.3. The vulnerability arises in the 'process_payment_data' function, where insufficient validation allows unauthenticated users to manipulate product quantities. Exploiting this flaw, an attacker can change a product's quantity to a negative value, effectively deducting the product's price from the total order cost. This exploitation is only viable in Manual Checkout mode, as other payment processors like PayPal and Stripe do not accommodate negative quantities.

Impact

Exploitation of this vulnerability could lead to unauthorized reductions in order totals, allowing attackers to manipulate payment amounts during the checkout process.

Reproduction

To reproduce this vulnerability, first ensure that the WordPress Simple Shopping Cart plugin is installed and activated, with version 5.1.3 or earlier. Enable the Manual Checkout option in the plugin settings. Once this is set, an unauthenticated user can send a request to the 'process_payment_data' endpoint, including a negative quantity value for a product. This request will be processed without proper validation, resulting in a decreased order total.

Remediation

Users are advised to update the WordPress Simple Shopping Cart plugin to version 5.1.4 or later, where this vulnerability has been patched.