Unauthorized Order Manipulation in WooCommerce PayPal Payments Plugin for WordPress
CVE-2026-9284

8.2HIGH

Key Information:

Vendor: WordPress
Status: WooCommerce Paypal Payments
Vendor: CVE Published:; 23 May 2026

What is CVE-2026-9284?

The WooCommerce PayPal Payments plugin for WordPress has a significant vulnerability that enables unauthorized manipulation of orders and potential exposure of sensitive information. Attackers can exploit missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints, present in all versions up to and including 4.0.1. By sending requests that include any WooCommerce order ID to the ppc-create-order endpoint, attackers can create PayPal orders without verifying the ownership of those orders. Additionally, the ppc-get-order endpoint can disclose full PayPal order details for any valid PayPal order ID, allowing unauthorized users to access sensitive payer information and shipping data. This vulnerability poses significant risks as it enables malicious actors to manipulate order payment flows and exfiltrate sensitive customer details.

Affected Version(s)

WooCommerce PayPal Payments 0 <= 4.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/woocommerce-pa...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 23, 2026
Vulnerability Reserved
May 22, 2026

Credit

Dmitrii Ignatyev

CVE-2026-9284 Data

JSON