PT-2026-3343 · WordPress · Payment Button For Paypal
Published
2026-01-17
·
Updated
2026-01-17
·
CVE-2025-14463
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The Payment Button for PayPal plugin for WordPress versions prior to 1.2.3.41
Description
The plugin exposes a public AJAX endpoint,
wppaypalcheckout ajax process order, that processes checkout results without authentication or server-side verification of the PayPal transaction. This allows unauthenticated attackers to create arbitrary orders via direct POST requests to the endpoint, bypassing parameter validation. The plugin will also send purchase receipt emails to any supplied email address if email sending is enabled, potentially leading to order database corruption and unauthorized outgoing emails without a legitimate PayPal transaction.Recommendations
Update The Payment Button for PayPal plugin to a version later than 1.2.3.41.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Payment Button For Paypal