Description
The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for unauthenticated attackers to make confirmed purchases without actually paying for them.
Published: 2025-11-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Payment Bypass
Action: Immediate Patch
AI Analysis

Impact

The SKT PayPal for WooCommerce plugin for WordPress has a flaw that allows unauthenticated users to bypass payment checks. Because the plugin relies only on client‑side controls when processing orders, an attacker can submit a purchase request and receive a confirmed transaction without actual funds being transferred. This leads to financial loss for the site owner and can result in fraudulent orders. The weakness is a failure to enforce server‑side validation, aligning with CWE‑602.

Affected Systems

The vulnerable product is SKT PayPal for WooCommerce by sonalsinha21. All releases with a version number of 1.4 or earlier are affected. Administrators operating WordPress sites that install or use any of these releases should be aware that the plugin is lacking proper server‑side checks.

Risk and Exploitability

The CVSS base score of 7.5 places the issue in the high severity range. The EPSS score of less than 1% indicates a low probability of exploitation at this time, and the vulnerability is not yet listed in CISA KEV. Based on the description, the likely attack vector is a crafted HTTP request to the plugin’s payment endpoint that bypasses authentication checks. The vulnerability resides in front‑end logic, so it could be abused remotely over the public internet on any instance that does not restrict access to the payment processing route; this inference comes from the lack of server‑side validation. The lack of server‑side validation makes the risk high when exercised.

Generated by OpenCVE AI on April 22, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the SKT PayPal for WooCommerce plugin to a version above 1.4 where the issue has been fixed.
  • If an upgrade is not immediately possible, disable the plugin’s public payment routes until a patch is applied or switch to a server‑side validated gateway.
  • Review the WordPress site’s access controls to ensure that only authenticated users can invoke payment processing endpoints, and update the plugin’s configuration to enforce server‑side checks where possible.

Generated by OpenCVE AI on April 22, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 28 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Sonalsinha21
Sonalsinha21 skt Paypal For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Sonalsinha21
Sonalsinha21 skt Paypal For Woocommerce
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for unauthenticated attackers to make confirmed purchases without actually paying for them.
Title SKT PayPal for WooCommerce <= 1.4 - Unauthenticated Payment Bypass
Weaknesses CWE-602
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Sonalsinha21 Skt Paypal For Woocommerce
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:05.098Z

Reserved: 2025-07-18T17:34:58.374Z

Link: CVE-2025-7820

cve-icon Vulnrichment

Updated: 2025-11-28T14:41:19.165Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T05:16:17.913

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses