CVE-2025-8198 (GCVE-0-2025-8198)

Vulnerability from cvelistv5 – Published: 2025-07-26 05:45 – Updated: 2025-07-28 15:57
VLAI?
Title
MinimogWP – The High Converting eCommerce WordPress Theme <= 3.9.0 - Unauthenticated Price Manipulation
Summary
The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.9.0. This is due to an insufficient check on quantity values when changing quantities in the cart. This makes it possible for unauthenticated attackers to add items to the cart and adjust the quantity to a fractional amount, causing the price to change based on the fractional amount. The vulnerability cannot be exploited if WooCommerce version 9.8.2+ is installed.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE
  • CWE-472 - External Control of Assumed-Immutable Web Parameter
Assigner
References
Impacted products
Vendor Product Version
ThemeMove MinimogWP – The High Converting eCommerce WordPress Theme Affected: * , ≤ 3.9.0 (semver)
Create a notification for this product.
Credits
Vijay
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-8198",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-28T15:57:15.856126Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-28T15:57:21.080Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "MinimogWP \u2013 The High Converting eCommerce WordPress Theme",
          "vendor": "ThemeMove",
          "versions": [
            {
              "lessThanOrEqual": "3.9.0",
              "status": "affected",
              "version": "*",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Vijay"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The MinimogWP \u2013 The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.9.0. This is due to an insufficient check on quantity values when changing quantities in the cart. This makes it possible for unauthenticated attackers to add items to the cart and adjust the quantity to a fractional amount, causing the price to change based on the fractional amount. The vulnerability cannot be exploited if WooCommerce version 9.8.2+ is installed."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-472",
              "description": "CWE-472 External Control of Assumed-Immutable Web Parameter",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-26T05:45:53.219Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cfea0427-78dc-4151-864a-63b6761fc294?source=cve"
        },
        {
          "url": "https://changelog.thememove.com/minimog-wp/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-07-25T16:30:16.000+00:00",
          "value": "Disclosed"
        }
      ],
      "title": "MinimogWP \u2013 The High Converting eCommerce WordPress Theme \u003c= 3.9.0 - Unauthenticated Price Manipulation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-8198",
    "datePublished": "2025-07-26T05:45:53.219Z",
    "dateReserved": "2025-07-25T16:26:50.958Z",
    "dateUpdated": "2025-07-28T15:57:21.080Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-8198\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2025-07-26T06:15:23.600\",\"lastModified\":\"2025-07-29T14:14:55.157\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The MinimogWP \u2013 The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.9.0. This is due to an insufficient check on quantity values when changing quantities in the cart. This makes it possible for unauthenticated attackers to add items to the cart and adjust the quantity to a fractional amount, causing the price to change based on the fractional amount. The vulnerability cannot be exploited if WooCommerce version 9.8.2+ is installed.\"},{\"lang\":\"es\",\"value\":\"El tema MinimogWP \u2013 The High Converting eCommerce WordPress Theme para WordPress, es vulnerable a la manipulaci\u00f3n de precios en todas las versiones hasta la 3.9.0 incluida. Esto se debe a una comprobaci\u00f3n insuficiente de los valores de cantidad al modificar las cantidades en el carrito. Esto permite que atacantes no autenticados a\u00f1adan art\u00edculos al carrito y ajusten la cantidad a una fracci\u00f3n, lo que provoca que el precio cambie en funci\u00f3n de dicha fracci\u00f3n. Esta vulnerabilidad no se puede explotar si se instala WooCommerce versi\u00f3n 9.8.2 o superior.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-472\"}]}],\"references\":[{\"url\":\"https://changelog.thememove.com/minimog-wp/\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/cfea0427-78dc-4151-864a-63b6761fc294?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-8198\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-28T15:57:15.856126Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-28T15:57:17.792Z\"}}], \"cna\": {\"title\": \"MinimogWP \\u2013 The High Converting eCommerce WordPress Theme \u003c= 3.9.0 - Unauthenticated Price Manipulation\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Vijay\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\"}}], \"affected\": [{\"vendor\": \"ThemeMove\", \"product\": \"MinimogWP \\u2013 The High Converting eCommerce WordPress Theme\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.9.0\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-07-25T16:30:16.000+00:00\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/cfea0427-78dc-4151-864a-63b6761fc294?source=cve\"}, {\"url\": \"https://changelog.thememove.com/minimog-wp/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The MinimogWP \\u2013 The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.9.0. This is due to an insufficient check on quantity values when changing quantities in the cart. This makes it possible for unauthenticated attackers to add items to the cart and adjust the quantity to a fractional amount, causing the price to change based on the fractional amount. The vulnerability cannot be exploited if WooCommerce version 9.8.2+ is installed.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-472\", \"description\": \"CWE-472 External Control of Assumed-Immutable Web Parameter\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2025-07-26T05:45:53.219Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-8198\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-28T15:57:21.080Z\", \"dateReserved\": \"2025-07-25T16:26:50.958Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2025-07-26T05:45:53.219Z\", \"assignerShortName\": \"Wordfence\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.