Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints in all versions up to, and including, 4.0.1. The ppc-create-order endpoint accepts an arbitrary WooCommerce order ID in the pay-now context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The ppc-get-order endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.
AnalysisAI
Unauthorized order manipulation and information disclosure in the WooCommerce PayPal Payments WordPress plugin (versions through 4.0.1) allows remote unauthenticated attackers to abuse two WC-AJAX endpoints (ppc-create-order and ppc-get-order) that lack authorization checks. By chaining these endpoints, an attacker can create a PayPal order against any victim's WooCommerce order ID and then retrieve full PayPal order details including payer information and shipping data. No public exploit identified at time of analysis, but the plugin's broad e-commerce deployment and trivial attack complexity make this a credible target.
Technical ContextAI
WooCommerce PayPal Payments is the official PayPal integration plugin for WooCommerce, the dominant WordPress e-commerce platform. The vulnerability is rooted in CWE-862 (Missing Authorization): the CreateOrderEndpoint.php and GetOrderEndpoint.php handlers (referenced at lines 249 and 44 respectively in plugin source under modules/ppcp-button/src/Endpoint/) process WC-AJAX requests without verifying that the requester owns or has any session relationship to the WooCommerce order ID being acted upon. The 'pay-now' context in ppc-create-order accepts arbitrary WC order IDs and writes PayPal metadata to them, while ppc-get-order returns complete PayPal order objects keyed only by PayPal order ID with no session binding. CPE coverage identifies all versions of cpe:2.3:a:woocommerce:woocommerce_paypal_payments as affected up to and including 4.0.1.
RemediationAI
Patch availability is not explicitly stated in the input; the WordPress.org plugin trac changeset referenced (https://plugins.trac.wordpress.org/changeset?old=3497597&new=3497597&reponame=woocommerce-paypal-payments) indicates an upstream fix has been committed, but a released patched version is not independently confirmed in the provided data - administrators should upgrade WooCommerce PayPal Payments to the latest release above 4.0.1 as soon as the vendor publishes it and verify the fix on the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/d5fa3282-b3be-4ea1-9865-011dea828a25). Until a confirmed patched version is installed, compensating controls include using a WAF (Wordfence, Cloudflare, etc.) to block unauthenticated POST requests to wc-ajax endpoints named ppc-create-order and ppc-get-order, or temporarily disabling the WooCommerce PayPal Payments plugin and switching to an alternate payment gateway - noting the trade-off of losing PayPal checkout availability and the customer conversion impact that entails. Restricting admin-ajax.php / wc-ajax.php to authenticated sessions at the edge would break legitimate guest checkout, so that mitigation is not advisable for production storefronts.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31524
GHSA-x2h5-274p-6qqf