cleantalk
Vulnerabilities and Security Researches

WPshop 2 – E-Commerce, CVE-2025-3853

CVE, Research URL

CVE-2025-3853

Home page URL

Security reports for WPshop 2 – E-Commerce

Application

WPshop 2 – E-Commerce

Published on
May 07, 2025
Research Description
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create valid API keys on behalf of other users.
Affected versions
Min 2.0.0, max 2.6.0.
Status
vulnerable
Previous vulnerability researches
Custom PC Builder Lite for WooCommerce (CVE-2025-43838) , May 06, 2025
New vulnerability
SMS Alert Order Notifications – WooCommerce (CVE-2025-3876) , May 11, 2025
SMS Alert Order Notifications – WooCommerce (CVE-2025-3878) , May 11, 2025
WordPress Review Plugin: The Ultimate Solution for Building a Review Website (CVE-2025-2158) , May 11, 2025
Drag and Drop Multiple File Upload for WooCommerce (CVE-2025-4403) , May 11, 2025
Contact Us By Lord Linus (CVE-2025-1382) , May 11, 2025