Medium severity5.3NVD Advisory· Published Apr 25, 2025· Updated Apr 15, 2026
CVE-2025-3743
CVE-2025-3743
Description
The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the 'add_offer_in_cart' function. This makes it possible for unauthenticated attackers to arbitrarily update the product associated with any order bump, and arbitrarily update the discount applied to any order bump item, when adding it to the cart.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.phpnvd
- plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.phpnvd
- plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.phpnvd
- plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.phpnvd
- plugins.trac.wordpress.org/changeset/3279944/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/b0e1546b-c8cc-4d57-9909-153209e3a9c6nvd
News mentions
0No linked articles in our index yet.