Unauthorized Order Creation in Payment Button for PayPal Plugin by WordPress

CVE-2025-14463

What is CVE-2025-14463?

The Payment Button for PayPal plugin for WordPress suffers from a serious vulnerability that enables unauthorized order creation. The exploitation stems from a public AJAX endpoint (wppaypalcheckout_ajax_process_order) that processes checkout results without the needed authentication or server-side validation of PayPal transactions. Attackers can exploit this flaw to create arbitrary orders on the website, using any transaction ID, payment status, product details, and customer information simply through direct POST requests to the vulnerable AJAX endpoint. Additionally, if email notifications are activated, it allows the possibility of sending purchase receipt emails to arbitrary addresses, which can result in order database corruption and unauthorized emails being dispatched, without any actual transaction taking place through PayPal.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References