Parameter Tampering in WooCommerce PayPal Checkout Payment Gateway by WordPress
CVE-2019-7441

6.5MEDIUM

Key Information:

Vendor
Wordpress
Status
Paypal Checkout Payment Gateway
Vendor
CVE Published:
21 March 2019

Summary

The WooCommerce PayPal Checkout Payment Gateway version 1.6.8 for WordPress is susceptible to parameter tampering, particularly with the 'amount' parameter during transactions. This vulnerability allows a malicious user to modify the pricing of purchases, potentially enabling them to buy products for less than the intended price. Although the plugin validates the amount against the actual WooCommerce order total, discrepancies can leave orders in an 'On Hold' state if the manipulated amount does not align. Website owners using this plugin should ensure they keep their installation updated and monitor any transactions for suspicious activity.

References

https://gkaim.com/cve-2019-7441-vikas-chaudhary/
x_refsource_MISC
https://www.exploit-db.com/exploits/46632/
exploitx_refsource_EXPLOIT-DB
http://packetstormsecurity.com/files/152362/WordPress-Pay...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.