Vulnerabilty in Plugin

Viewing 4 replies - 1 through 4 (of 4 total)

  • I second the request for a fix soon!

    I wouldn’t hold out hope. This vulnerability was originally posted 2019-01-27 and there have been 8 releases since then

    Jason

    (@galapogos01)

    Where’s the vote button?

    Plugin Contributor Paul Dechov

    (@pauldechov)

    Hi all,

    We have determined that the conditions being reported do not constitute an exploit in the PayPal Checkout extension for WooCommerce. While it is true that the amount can be manipulated in the PayPal payment flow, this amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state. (In cases when the order is completed upon API payment request rather than IPN, the amount comes directly from the order, not a previous PayPal response.)

    If we were to receive exploit steps that result in a completed WooCommerce order with a lower payment amount (can be reported here), we would act promptly to address the issue.

    Thank you,

    Paul

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Vulnerabilty in Plugin’ is closed to new replies.