NEW ACADEMY Course is officially out!
https://sylius.com/blog/paypal-security-blog-post-2/
en
https://sylius.com/fr/
fr
https://sylius.com/de/
de
by Grzegorz Sadowski
2 min. read
Categories: Technical
PayPal: Security blog post #2 – 1.6.2, 1.7.2 & 2.0.2

Security is an ongoing commitment; sometimes, despite our best efforts, vulnerabilities slip through the cracks. We recently addressed an order manipulation issue in Sylius PayPalPlugin and released security patches. However, after further investigation, we discovered that the initial fix included in this week’s security release was incomplete. We sincerely apologize for this oversight and have issued an updated patch to resolve the issue fully.

If you are using Sylius PayPalPlugin in versions below 1.6.2, 1.7.2, or 2.0.2, we strongly urge you to update immediately. This vulnerability could allow malicious users to manipulate their shopping carts post-checkout, leading to potential financial losses for merchants.

Keeping your store secure is our top priority, and we appreciate your trust and vigilance in maintaining a safe eCommerce environment. Below, we outline the details of the issue, its impact, and the necessary steps to protect your business.

PayPalPlugin 1.6 and above

CVE-2025-?: Order Manipulation Vulnerability after PayPal Checkout

The original security advisory has been published on GitHub at Sylius/PayPalPlugin repository.us repository.

Is my store affected by this vulnerability?

This issue exists in all PayPalPlugin versions before 1.6.2, 1.7.2 and 2.0.2.

Description

A discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment.

Impact

  • Users can exploit this flaw to receive products/services without paying the full amount.
  • Merchants may suffer financial losses due to underpaid orders.
  • Trust in the integrity of the payment process is compromised.

Patches

The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.

Workarounds

If an immediate upgrade is not possible, merchants should take the following actions to mitigate risk:

  • Disable PayPal: To prevent fraudulent transactions, merchants should immediately disable the PayPal payment method in their shops.
  • Schedule an upgrade or a workaround implementation: Merchants should coordinate with their development teams to upgrade to a patched version of the PayPalPlugin (1.6.2, 1.7.2 or 2.0.2) as soon as possible or to have the workaround described in the security advisory implemented.

Keeping your store secure is crucial – please update your plugin and inform your peers in the Sylius community about this fix to ensure a safer environment for all.

Tags: news Sylius
Share:
Grzegorz Sadowski
Grzegorz is primarily one of Sylius most experienced software developers and also our Scrum Master. As he’s got a knack for detail in numbers, he is also keeping an eye on our financial and legal operations. Privately he’s a Madridista since childhood. He’d literally enjoy driving any car on earth. He’s already planned to buy an electric Audi for his tiny daughter.
more articles
More from our blog
Technical 2 min read 04.12.2024
Here’s everything you had to know about the first major release since 2017! Over 7 years after the first major release, on Nov 12, 2024, we have released Sylius 2.0.0. We had a great opportunity to announce it first at SyliusCon in Lyon, but now, as we are back to… Read More
2 min read 22.11.2024
The emotions start to settle after SyliusCon, and it’s time to reflect on this incredible milestone in our journey. Why a milestone? Because SyliusCon exceeded our expectations in every possible way. We broke attendance records and brought together the key figures of our community, numerous partners, freelancers, and simply all… Read More
Cloud 2 min read 17.06.2024
We are thrilled to announce that we just signed a strategic partnership with Platform.sh, and as a result, we are extending our offer with Sylius Cloud powered by Platform.sh. Platform.sh is a modern Platform-as-a-Service (PaaS) solution that allows businesses to leverage the cloud environment without losing access to the code… Read More
Comments
Subscribe to our newsletter
And be the first to know about Sylius news
Made with ♥️ in