cleantalk
Vulnerabilities and Security Researches

WPshop 2 – E-Commerce, CVE-2025-3853

CVE, Research URL

CVE-2025-3853

Home page URL

Security reports for WPshop 2 – E-Commerce

Application

WPshop 2 – E-Commerce

Published on
May 07, 2025
Research Description
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create valid API keys on behalf of other users.
Affected versions
Min 2.0.0, max 2.6.0.
Status
vulnerable
Previous vulnerability researches
Tainacan Interface (CVE-2024-3867) , Jun 10, 2024
Tainacan (CVE-2024-4367) , Jul 22, 2024
Tainacan (CVE-2024-9221) , Oct 12, 2024
Tainacan (CVE-2024-7135) , Aug 01, 2024
Tainacan (CVE-2024-48040) , May 06, 2025
New vulnerability
SMS Alert Order Notifications – WooCommerce (CVE-2025-3876) , May 11, 2025
SMS Alert Order Notifications – WooCommerce (CVE-2025-3878) , May 11, 2025
WordPress Review Plugin: The Ultimate Solution for Building a Review Website (CVE-2025-2158) , May 11, 2025
Drag and Drop Multiple File Upload for WooCommerce (CVE-2025-4403) , May 11, 2025
Contact Us By Lord Linus (CVE-2025-1382) , May 11, 2025