Medium severity5.3NVD Advisory· Published Apr 25, 2025· Updated Apr 15, 2026
CVE-2025-3743
CVE-2025-3743
Description
The Upsell Funnel Builder for WooCommerce plugin for WordPress is vulnerable to order manipulation in all versions up to, and including, 3.0.0. This is due to the plugin allowing the additional product ID and discount field to be manipulated prior to processing via the 'add_offer_in_cart' function. This makes it possible for unauthenticated attackers to arbitrarily update the product associated with any order bump, and arbitrarily update the discount applied to any order bump item, when adding it to the cart.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <=3.0.0
Patches
Vulnerability mechanics
References
6- plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.phpnvd
- plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.phpnvd
- plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.phpnvd
- plugins.trac.wordpress.org/browser/upsell-order-bump-offer-for-woocommerce/tags/3.0.0/public/class-upsell-order-bump-offer-for-woocommerce-public.phpnvd
- plugins.trac.wordpress.org/changeset/3279944/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/b0e1546b-c8cc-4d57-9909-153209e3a9c6nvd
News mentions
0No linked articles in our index yet.