Description The plugin is vulnerable to authentication bypass due to missing authentication checking in the βset_user_cartβ function with the βuser_idβ header value. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id.