Parameter Tampering in WooCommerce PayPal Checkout Payment Gateway Plugin by WordPress
CVE-2019-14979

5.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Paypal Checkout Payment Gateway
Vendor: CVE Published:; 29 August 2019

Summary

The WooCommerce PayPal Checkout Payment Gateway plugin version 1.6.17 for WordPress has a vulnerability that allows an attacker to manipulate the payment amount via the URL parameters, specifically using the cmd=_cart method. This manipulation may enable a purchase to be made at a lower price than intended. Although the plugin includes validation against the WooCommerce order total at checkout, any discrepancies leave the order in an 'On Hold' state, posing a risk for unfulfilled transactions and potential financial loss.

References

https://gkaim.com/cve-2019-14979-vikas-chaudhary/

x_refsource_MISC

https://wordpress.org/support/topic/vulnerabilty-in-plugi...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 29, 2019
Vulnerability Reserved
Aug 12, 2019