Description
The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.
Published: 2026-05-23
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check on the ppc-create-order and ppc-get-order AJAX endpoints in the WooCommerce PayPal Payments plugin. Attackers can supply any WooCommerce order ID, causing a PayPal order to be created with arbitrary metadata and then retrieve full PayPal order details, exposing payer and shipping information. The flaw, classified as CWE-862, undermines both the integrity of order processing and the confidentiality of sensitive order data.

Affected Systems

All installations of the WooCommerce PayPal Payments plugin that are version 4.0.1 or earlier are affected. This includes every site that runs WooCommerce with the PayPal Payments add‑on along with any WordPress installation in which the plugin is active. The vulnerability is present regardless of the WordPress user roles or site configuration.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. Although EPSS data is unavailable, the public nature of the AJAX endpoints means unauthenticated attackers can attempt exploitation at any time. The attacker simply crafts a HTTP request to the ppc-create-order endpoint with an order ID, then queries ppc-get-order to exfiltrate the associated PayPal transaction data. Because the plugin does not verify that the requester owns the order or is an authenticated administrator, the vulnerability can be leveraged to manipulate other customers’ orders and steal private information, making it a high‑risk threat for any e‑commerce site using the affected plugin.

Generated by OpenCVE AI on May 23, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce PayPal Payments plugin to version 4.0.2 or later, which includes proper authorization checks on the ppc-create-order and ppc-get-order endpoints.
  • Configure the site firewall or a security plugin to block unauthenticated requests to the ppc-create-order and ppc-get-order AJAX endpoints.
  • Regularly review server logs for anomalous POST or GET requests to ppc-create-order or ppc-get-order and investigate any suspicious activity.

Generated by OpenCVE AI on May 23, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.
Title WooCommerce PayPal Payments <= 4.0.1 - Missing Authorization to Unauthenticated Order Manipulation and Information Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-23T04:27:17.416Z

Reserved: 2026-05-22T16:04:02.399Z

Link: CVE-2026-9284

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T06:30:11Z

Weaknesses