WP-Safety
CVE-2026-39643

Payment Plugins for PayPal WooCommerce <= 2.0.13 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.0.14
Patched in
61d
Time to patch

Description

The Payment Plugins for PayPal WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 2.0.13. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=2.0.13
PublishedFebruary 14, 2026
Last updatedApril 15, 2026
Affected pluginpymntpl-paypal-woocommerce

What Changed in the Fix

Changes introduced in v2.0.14

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.0.13
Browse source Download .zip
Patched v2.0.14
Browse source Download .zip
Research Plan
Unverified

Setting)("ppcpGeneralData")` The settings are registered in `src/Blocks/Package.php` or similar. The variable name in the browser is usually `wc.wcSettings.getSetting( 'ppcpGeneralData' )`. Let's use that.# Exploitation Research Plan: CVE-2026-39643 ## 1. Vulnerability Summary The **Pa…

Show full research plan

Setting)("ppcpGeneralData") The settings are registered insrc/Blocks/Package.phpor similar. The variable name in the browser is usuallywc.wcSettings.getSetting( 'ppcpGeneralData' )`.

Let's use that.# Exploitation Research Plan: CVE-2026-39643

1. Vulnerability Summary

The Payment Plugins for PayPal WooCommerce plugin for WordPress (versions <= 2.0.13) contains a missing authorization vulnerability in several AJAX/REST handlers. Specifically, functions related to the Fastlane checkout and order synchronization (such as ppcp_fastlane_set_customer_data or ppcp_set_external_id) are registered via wp_ajax_nopriv_ but fail to implement a capability check or ownership validation. This allows an unauthenticated attacker to modify order metadata, customer billing/shipping details, or associate arbitrary PayPal transaction IDs with existing WooCommerce orders.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: ppcp_fastlane_set_customer_data (or ppcp_fastlane_set_billing_data)
  • HTTP Method: POST
  • Payload Parameters:
    • action: The AJAX action string (e.g., ppcp_fastlane_set_customer_data).
    • nonce: A WordPress CSR
Research Findings
Static analysis — not yet PoC-verified

Summary

The Payment Plugins for PayPal WooCommerce plugin for WordPress (<= 2.0.13) fails to perform authorization checks on several AJAX handlers, including those for Fastlane checkout data and order synchronization. This allows unauthenticated attackers to modify customer billing/shipping information or associate arbitrary PayPal transaction IDs with existing WooCommerce orders.

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/pymntpl-paypal-woocommerce/2.0.13/i18n/languages/pymntpl-paypal-woocommerce.pot /home/deploy/wp-safety.org/data/plugin-versions/pymntpl-paypal-woocommerce/2.0.14/i18n/languages/pymntpl-paypal-woocommerce.pot
--- /home/deploy/wp-safety.org/data/plugin-versions/pymntpl-paypal-woocommerce/2.0.13/i18n/languages/pymntpl-paypal-woocommerce.pot	2026-03-30 20:41:16.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/pymntpl-paypal-woocommerce/2.0.14/i18n/languages/pymntpl-paypal-woocommerce.pot	2026-04-10 22:30:46.000000000 +0000
@@ -2,14 +2,14 @@
 # This file is distributed under the same license as the Payment Plugins for PayPal WooCommerce plugin.
 msgid ""
 msgstr ""
-"Project-Id-Version: Payment Plugins for PayPal WooCommerce 2.0.13\n"
+"Project-Id-Version: Payment Plugins for PayPal WooCommerce 2.0.14\n"
 "Report-Msgid-Bugs-To: https://wordpress.org/support/plugin/pymntpl-paypal-woocommerce\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"POT-Creation-Date: 2026-03-30T20:34:46+00:00\n"
+"POT-Creation-Date: 2026-04-10T22:27:22+00:00\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "X-Generator: WP-CLI 2.7.1\n"
 "X-Domain: pymntpl-paypal-woocommerce\n"
@@ -143,15 +143,15 @@
 msgid "Please enter a valid email address before using Fastlane."
 msgstr ""
 
-#: packages/blocks/src/Payments/Gateways/PayPalGateway.php:49
+#: packages/blocks/src/Payments/Gateways/PayPalGateway.php:50
 msgid "After clicking \"%1$s\", you will be redirected to PayPal to complete your purchase securely."
 msgstr ""
 
-#: packages/blocks/src/Payments/Gateways/PayPalGateway.php:91
+#: packages/blocks/src/Payments/Gateways/PayPalGateway.php:92
 msgid "Some required fields are missing. Please review your details and then complete your order with PayPal."
 msgstr ""
 
-#: packages/blocks/src/Payments/Gateways/PayPalGateway.php:123
+#: packages/blocks/src/Payments/Gateways/PayPalGateway.php:124
 #: src/Payments/Gateways/PayPalGateway.php:195
 msgid "Pay with PayPal"
 msgstr ""
... (truncated)

Exploit Outline

The exploit targets AJAX handlers registered without capability checks or ownership validation. An unauthenticated attacker can send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to a vulnerable handler (such as `ppcp_fastlane_set_customer_data` or `ppcp_set_external_id`). By providing specific parameters like `order_id` along with crafted billing or shipping metadata, the attacker can manipulate order records or associate their own transaction data with existing orders. No authentication or elevated privileges are required to perform these actions.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/8d60ddd3-b064-48de-bfd3-baac342150b4?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database