CVE-2019-14979

Name of the Vulnerable Software and Affected Versions WooCommerce PayPal Checkout Payment Gateway plugin version 1.6.17

Description The issue allows for parameter tampering in the amount parameter, such as amount 1, in the cgi-bin/webscr?cmd= cart endpoint. This can be exploited to purchase an item for a lower price than intended. However, the amount is validated against the WooCommerce order total before completing the order. If the amounts do not match, the order will be left in an "On Hold" state.

Recommendations For WooCommerce PayPal Checkout Payment Gateway plugin version 1.6.17, consider validating user input for the amount 1 parameter to prevent tampering, and ensure that the amount is consistent with the WooCommerce order total before completing the order. As a temporary workaround, monitor orders left in an "On Hold" state for potential exploitation attempts.