WooCommerce PayPal Payments Missing Authorization Vulnerability Allowing Order Manipulation and Information Disclosure

A vulnerability exists in the WooCommerce PayPal Payments plugin for WordPress, affecting all versions through 4.0.1. The issue arises from missing authorization checks on the 'ppc-create-order' and 'ppc-get-order' WC-AJAX endpoints. This vulnerability allows unauthorized users to manipulate orders and access sensitive information. Specifically, the 'ppc-create-order' endpoint can be exploited to create PayPal orders for any WooCommerce order by providing an arbitrary order ID, without verifying ownership. Additionally, the 'ppc-get-order' endpoint exposes full PayPal order details for any PayPal order ID, without session binding. As a result, unauthenticated attackers can exploit these endpoints to disrupt payment processes for other customers and retrieve confidential order information, such as payer and shipping details.

Impact

Exploitation of this vulnerability could lead to unauthorized manipulation of order payments and disclosure of sensitive customer information, including PayPal order details, payer information, and shipping data.

Remediation

Users are advised to update the WooCommerce PayPal Payments plugin to version 4.0.2 or a newer patched version.