Skip to main content

WooCommerce PayPal Payments CVE-2026-9284

| EUVDEUVD-2026-31524 HIGH
Missing Authorization (CWE-862)
2026-05-23 Wordfence GHSA-x2h5-274p-6qqf
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 23, 2026 - 05:15 vuln.today

DescriptionCVE.org

The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints in all versions up to, and including, 4.0.1. The ppc-create-order endpoint accepts an arbitrary WooCommerce order ID in the pay-now context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The ppc-get-order endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.

AnalysisAI

Unauthorized order manipulation and information disclosure in the WooCommerce PayPal Payments WordPress plugin (versions through 4.0.1) allows remote unauthenticated attackers to abuse two WC-AJAX endpoints (ppc-create-order and ppc-get-order) that lack authorization checks. By chaining these endpoints, an attacker can create a PayPal order against any victim's WooCommerce order ID and then retrieve full PayPal order details including payer information and shipping data. No public exploit identified at time of analysis, but the plugin's broad e-commerce deployment and trivial attack complexity make this a credible target.

Technical ContextAI

WooCommerce PayPal Payments is the official PayPal integration plugin for WooCommerce, the dominant WordPress e-commerce platform. The vulnerability is rooted in CWE-862 (Missing Authorization): the CreateOrderEndpoint.php and GetOrderEndpoint.php handlers (referenced at lines 249 and 44 respectively in plugin source under modules/ppcp-button/src/Endpoint/) process WC-AJAX requests without verifying that the requester owns or has any session relationship to the WooCommerce order ID being acted upon. The 'pay-now' context in ppc-create-order accepts arbitrary WC order IDs and writes PayPal metadata to them, while ppc-get-order returns complete PayPal order objects keyed only by PayPal order ID with no session binding. CPE coverage identifies all versions of cpe:2.3:a:woocommerce:woocommerce_paypal_payments as affected up to and including 4.0.1.

RemediationAI

Patch availability is not explicitly stated in the input; the WordPress.org plugin trac changeset referenced (https://plugins.trac.wordpress.org/changeset?old=3497597&new=3497597&reponame=woocommerce-paypal-payments) indicates an upstream fix has been committed, but a released patched version is not independently confirmed in the provided data - administrators should upgrade WooCommerce PayPal Payments to the latest release above 4.0.1 as soon as the vendor publishes it and verify the fix on the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/d5fa3282-b3be-4ea1-9865-011dea828a25). Until a confirmed patched version is installed, compensating controls include using a WAF (Wordfence, Cloudflare, etc.) to block unauthenticated POST requests to wc-ajax endpoints named ppc-create-order and ppc-get-order, or temporarily disabling the WooCommerce PayPal Payments plugin and switching to an alternate payment gateway - noting the trade-off of losing PayPal checkout availability and the customer conversion impact that entails. Restricting admin-ajax.php / wc-ajax.php to authenticated sessions at the edge would break legitimate guest checkout, so that mitigation is not advisable for production storefronts.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-9284 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy