WooCommerce PayPal Payments <= 4.0.1 - Missing Authorization to Unauthenticated Order Manipulation and Information Disclosure
Description
The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints in all versions up to, and including, 4.0.1. The ppc-create-order endpoint accepts an arbitrary WooCommerce order ID in the pay-now context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The ppc-get-order endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in WooCommerce PayPal Payments plugin allows unauthenticated attackers to manipulate orders and disclose sensitive PayPal order data.
Vulnerability
The WooCommerce PayPal Payments plugin for WordPress versions up to and including 4.0.1 contains missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints. The ppc-create-order endpoint accepts an arbitrary WooCommerce order ID in the pay-now context without validating order ownership, allowing creation of PayPal orders for any WC order. The ppc-get-order endpoint returns full PayPal order details for any PayPal order ID without session binding. [1]
Exploitation
An unauthenticated attacker can chain these endpoints: first, call ppc-create-order with a victim's WooCommerce order ID to create a PayPal order and write PayPal metadata to that order. Then, call ppc-get-order with the resulting PayPal order ID to retrieve sensitive details such as payer information and shipping data. No authentication or user interaction is required. [1]
Impact
Successful exploitation allows an attacker to manipulate other customers' order payment flows by creating unauthorized PayPal orders, and to exfiltrate sensitive order details including payer information and shipping data. This leads to unauthorized order manipulation and information disclosure. [1]
Mitigation
The vulnerability is fixed in version 4.0.2 of the plugin. The latest version as of 2026-05-19 is 4.0.4. Users should update to version 4.0.2 or higher immediately. No workarounds are documented. [1]
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=4.0.1
Patches
1v4.0.2Release: woocommerce-paypal-payments 4.0.2 (next version after vulnerable 4.0.1)
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/tags/3.3.2/modules/ppcp-button/src/Endpoint/CreateOrderEndpoint.phpmitre
- plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/tags/3.3.2/modules/ppcp-button/src/Endpoint/GetOrderEndpoint.phpmitre
- plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/trunk/modules/ppcp-button/src/Endpoint/CreateOrderEndpoint.phpmitre
- plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/trunk/modules/ppcp-button/src/Endpoint/GetOrderEndpoint.phpmitre
- plugins.trac.wordpress.org/changesetmitre
- www.wordfence.com/threat-intel/vulnerabilities/id/d5fa3282-b3be-4ea1-9865-011dea828a25mitre
News mentions
0No linked articles in our index yet.