CVE-2025-14463

Name of the Vulnerable Software and Affected Versions The Payment Button for PayPal plugin for WordPress versions prior to 1.2.3.41

Description The plugin exposes a public AJAX endpoint, wppaypalcheckout ajax process order, that processes checkout results without authentication or server-side verification of the PayPal transaction. This allows unauthenticated attackers to create arbitrary orders via direct POST requests to the endpoint, bypassing parameter validation. The plugin will also send purchase receipt emails to any supplied email address if email sending is enabled, potentially leading to order database corruption and unauthorized outgoing emails without a legitimate PayPal transaction.

Recommendations Update The Payment Button for PayPal plugin to a version later than 1.2.3.41.