Description
The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation. If email sending is enabled, the plugin will also trigger purchase receipt emails to any email address supplied in the request, leading to order database corruption and unauthorized outgoing emails without any real PayPal transaction taking place.
Published: 2026-01-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Order Creation
Action: Patch Now
AI Analysis

Impact

The Payment Button for PayPal plugin processes checkout results through a public AJAX endpoint that accepts order details without authentication or server‑side verification of the PayPal transaction. This missing authorization check allows an unauthenticated attacker to craft POST requests that create arbitrary orders with any transaction ID, payment status, product name, amount, or customer information. If email notifications are enabled, the plugin may also send purchase receipt emails to any address supplied, resulting in database corruption and unwanted outbound email.

Affected Systems

All WordPress sites running the Payment Button for PayPal plugin version 1.2.3.41 or earlier are affected. The vulnerability is specific to the plugin module that handles checkout via the AJAX endpoint and is present in all releases up to and including 1.2.3.41.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% shows a very low probability of exploitation. The plugin is not listed in the CISA Known Exploited Vulnerabilities catalog, further reducing immediate risk. An attacker can exploit the flaw by sending crafted POST requests to the AJAX endpoint without user authentication. The only requirement is the ability to bypass basic parameter validation, making the vulnerability potentially exploitable by anyone with network access to the WordPress site.

Generated by OpenCVE AI on April 21, 2026 at 23:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Payment Button for PayPal plugin to a release newer than 1.2.3.41, which implements proper authorization checks on order creation.
  • If an upgrade cannot be applied immediately, restrict access to the AJAX endpoint so that only authenticated requests reach it, such as by configuring firewall rules or using .htaccess conditions.
  • Disable or control the plugin’s email notifications so that receipt emails are only sent for verified transactions, preventing unintended outbound messages.

Generated by OpenCVE AI on April 21, 2026 at 23:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Naa986
Naa986 payment Button For Paypal
Wordpress
Wordpress wordpress
Vendors & Products Naa986
Naa986 payment Button For Paypal
Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 03:45:00 +0000

Type Values Removed Values Added
Description The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation. If email sending is enabled, the plugin will also trigger purchase receipt emails to any email address supplied in the request, leading to order database corruption and unauthorized outgoing emails without any real PayPal transaction taking place.
Title Payment Button for PayPal <= 1.2.3.41 - Missing Authorization to Unauthenticated Arbitrary Order Creation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Naa986 Payment Button For Paypal
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:43.170Z

Reserved: 2025-12-10T16:00:08.500Z

Link: CVE-2025-14463

cve-icon Vulnrichment

Updated: 2026-01-20T18:57:25.844Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T04:16:07.593

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14463

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses