Heibie

**Name of the Vulnerable Software and Affected Versions** WooCommerce PayPal Checkout Payment Gateway plugin version 1.6.17 **Description** The issue allows for parameter tampering in the amount parameter, such as `amount 1`, in the cgi-bin/webscr?cmd= cart endpoint. This can be exploited to purchase an item for a lower price than intended. However, the amount is validated against the WooCommerce order total before completing the order. If the amounts do not match, the order will be left in an "On Hold" state. **Recommendations** For WooCommerce PayPal Checkout Payment Gateway plugin version 1.6.17, consider validating user input for the `amount 1` parameter to prevent tampering, and ensure that the amount is consistent with the WooCommerce order total before completing the order. As a temporary workaround, monitor orders left in an "On Hold" state for potential exploitation attempts.