Get Started

WordPress: Order Manipulation via Insecure ‘add_offer_in_cart’ Function in Upsell Funnel Builder Plugin

by the Hossted team
25.04.2025

In Upsell Funnel Builder for WooCommerce plugin for WordPress versions up to and including 3.0.0 a medium severity vulnerability CVE-2025-3743 was detected. This vulnerability allows unauthenticated attackers to manipulate the product ID and discount field associated with any order bump, enabling them to arbitrarily update the product and discount when adding it to the cart. To address this issue, users should upgrade Upsell Funnel Builder for WooCommerce plugin to versions 3.0.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-3743.

Related articles
OSSpedia
OSSpedia 19 Feb 2025 WordPress: Insecure Direct Object Reference in Education Addon for Elementor Plugin Business and Enterprise Solutions CMS WOR
OSSpedia 19 Feb 2025 WordPress: Cross-Site Request Forgery Vulnerability in DeBounce Email Validator Plugin Business and Enterprise Solutions CMS WOR
OSSpedia 19 Feb 2025 WordPress: Unauthorized Access Vulnerability in Raptive Ads Plugin Business and Enterprise Solutions CMS WOR
OSSpedia 11 Mar 2025 WordPress: Stored XSS Vulnerability in Countdown Timer Plugin Business and Enterprise Solutions CMS WOR