Sylius PayPal Plugin Payment Amount Manipulation Vulnerability

A vulnerability in the Sylius PayPal Plugin, affecting versions prior to 1.6.1, 1.7.1, and 2.0.1, allows users to manipulate the final payment amount processed by PayPal. When a user changes the item quantity in their cart after starting the PayPal Express Checkout, PayPal does not receive the updated total. Consequently, PayPal only captures the initial amount, while Sylius incorrectly marks the order as fully paid based on the altered total. This issue can be exploited both accidentally and intentionally, potentially leading to fraud by allowing customers to pay less than the actual order value.

Impact

This vulnerability can be exploited to intentionally underpay for orders, causing financial losses for business owners and disrupting the integrity of the payment process.

Reproduction

To reproduce this vulnerability, add items to the cart and initiate the PayPal Express Checkout. After the checkout process has started, modify the item quantities in the cart. PayPal will not receive the updated total, leading to an incorrect payment processing where Sylius considers the order fully paid based on the modified total.

Remediation

Users can update to Sylius PayPal Plugin versions 1.6.1, 1.7.1, 2.0.1 or later. Alternatively, the issue can be addressed by overwriting the 'ProcessPayPalOrderAction', 'CompletePayPalOrderFromPaymentPageAction', and 'CaptureAction' controllers with customized logic that verifies payment amounts and ensures accurate order processing.