WordPress Payment Button for PayPal Plugin Unauthorized Order Creation Vulnerability

A vulnerability in the Payment Button for PayPal plugin for WordPress, affecting all versions through 1.2.3.41, allows unauthorized order creation. The plugin's public AJAX endpoint, 'wppaypalcheckout_ajax_process_order', processes checkout results without authentication or server-side verification of PayPal transactions. This flaw enables unauthenticated attackers to create arbitrary orders by sending direct POST requests to the AJAX endpoint, provided they can bypass basic parameter validation. If email notifications are enabled, the plugin will send purchase receipt emails to any specified email address, resulting in order database corruption and unauthorized outgoing emails, all without a real PayPal transaction occurring.

Impact

Exploitation of this vulnerability leads to unauthorized order creation on the affected WordPress site, with potential corruption of the order database. Additionally, if email notifications are enabled, the vulnerability allows for unauthorized emails to be sent from the site, causing further disruption.

Reproduction

To reproduce this vulnerability, send a POST request to the 'wppaypalcheckout_ajax_process_order' AJAX endpoint. Include the desired transaction ID, payment status, product name, amount, and customer information. Bypass any basic parameter validation to successfully create an order. If the site has email notifications enabled, purchase receipt emails will be sent to the specified email address, adding to the impact of the vulnerability.

Remediation

Users can update to WordPress PayPal Plugin version 1.2.3.42 or later, where this vulnerability has been addressed.