Payment Manipulation in Sylius PayPal Plugin by Sylius Core Team

CVE-2025-29788

What is CVE-2025-29788?

A vulnerability exists in the Sylius PayPal Plugin, which allows users to alter the final payment amount during the PayPal Express Checkout process. In versions prior to 1.6.1, 1.7.1, and 2.0.1, modifications made to item quantities in the shopping cart after initiating payment may result in PayPal processing only the initial amount, while Sylius recognizes the order as fully paid based on the altered total. This presents a risk for both accidental and intentional exploitation, potentially leading to financial losses for businesses as customers can underpay their orders. To address this vulnerability, it is recommended to update to the latest versions or modify specific actions within the application.

References