
Keeping your Sylius store secure is our top priority, and while security updates may not always be the most exciting news, they are absolutely essential. We work diligently to identify and address vulnerabilities so that everyone in the Sylius ecosystem gets a safer experience, and we do our best to respond quickly whenever the community reports an issue.
Today, as part of that ongoing commitment, we are rolling out important fixes for the Sylius Mollie Plugin in versions 2.2.8, 3.2.4 and 3.3.1. If you are using this package, we encourage you to update as soon as you can and to spread the word so the whole community stays protected. The issues we are addressing include payment status forgery on the payment webhook and a customer data leak through order ID enumeration, both of which can lead to financial loss and privacy exposure for merchants.
Below, we outline the details of each issue, its impact, and the steps you need to take to keep your store safe.
The original security advisory has been published on GitHub at the Sylius/MolliePlugin repository.
The payment webhook accepts two independent, user-controlled parameters: the Mollie payment id and the Sylius order id. It never verifies that the payment belongs to the order. An attacker can pay for a single low-value order of their own, take their now-paid Mollie payment id, and replay it against any other order id. The victim’s order is then marked as paid even though no money was received for it. Order ids are sequential and the endpoint requires no authentication, so the attack scales across every pending order, letting an attacker mark unpaid orders as paid and receive goods without payment.
The issue is fixed in versions 2.2.9, 3.2.5, 3.3.2, and above.
If an immediate upgrade is not possible, decorate the webhook controller to verify that the incoming Mollie payment ID matches the ID stored for the order before applying any status change. See the full workaround in the advisory.
The original security advisory has been published on GitHub at the Sylius/MolliePlugin repository.
Two shop endpoints look orders up by a sequential order ID with no ownership check. The thank-you redirect returns the order’s private token in its response, and the QR-code endpoint returns order data outside the customer’s own session. Because that token is the only thing protecting an order, an unauthenticated attacker can enumerate order IDs, obtain each order’s token, and reach the account-registration page pre-filled with the customer’s name and email address, harvesting customer personal data at scale. Malformed requests also trigger an unauthenticated denial-of-service.
The issue is fixed in versions 2.2.9, 3.2.5, 3.3.2, and above.
If an immediate upgrade is not possible, decorate the QR-code and thank-you controllers to enforce order ownership and to resolve the order from its non-enumerable token instead of the sequential ID. See the full workaround in the advisory.
Then your store is running unpatched code, and both advisories above describe your installation. The plugin used to be distributed as bitbag/mollie-plugin and later mollie/sylius-plugin. Both packages are abandoned and will never receive these fixes.
In business terms: unpaid orders can be marked as paid, so goods leave your warehouse against money you never received, and customer names and email addresses can be harvested at scale, which is a personal data breach. Both advisories are now public, so the attack descriptions are available to everyone, not only to merchants reading this post.
Hand this to your development team today:
composer remove bitbag/mollie-plugin (or mollie/sylius-plugin), then composer require sylius/mollie-plugin.For most stores this is an afternoon of developer work. If it cannot happen today, have your team apply the workarounds from both advisories before the day ends. They hold only until the upgrade is complete. Sylius Slack is the fastest place to get unblocked.
| # | Advisory | Severity |
| 1 | Payment Status Forgery via the Payment Webhook | High |
| 2 | Customer Data Exposure via Order ID Enumeration | Moderate |
These fixes concern areas that directly affect the customer journey and store operations, including payment status and order access.
We recommend updating your plugin as soon as you can. Sharing these fixes with others in the community also helps keep the whole ecosystem safer for everyone.
We would like to thank everyone who participated in the responsible disclosure of these vulnerabilities. If you believe you have found a security vulnerability in Sylius, please do not post it publicly. Instead, report it to [email protected].
