CVE-2026-44583

The PayPal webhook endpoint /extensions/paypal/webhook processes the PAYPAL-CERT-URL HTTP header without validation, allowing attackers to control server-side HTTP request destinations.

The /extensions/paypal/webhook endpoint processes incoming webhook requests and trusts the value of the PAYPAL-CERT-URL HTTP header without validation.

This value is passed directly into a server-side HTTP request via file get contents, allowing attackers to control the destination of the request. No allowlist, validation, or signature verification is applied to the header before usage.

As a result, the application can be coerced into performing HTTP requests to attacker-controlled or internal network destinations.

This vulnerability allows remote unauthenticated attackers to induce server-side HTTP GET requests to arbitrary external or internal endpoints.

Depending on network configuration, this may lead to:

No direct response data is returned to the attacker (blind SSRF), but the issue may still enable sensitive network probing or data exfiltration via side channels.