PS Summit! We’re organizing a major event
3 min. read
Categories: Security
MolliePlugin: Security blog post – 2.2.9, 3.2.5 and 3.3.2

Keeping your Sylius store secure is our top priority, and while security updates may not always be the most exciting news, they are absolutely essential. We work diligently to identify and address vulnerabilities so that everyone in the Sylius ecosystem gets a safer experience, and we do our best to respond quickly whenever the community reports an issue.

Today, as part of that ongoing commitment, we are rolling out important fixes for the Sylius Mollie Plugin in versions 2.2.8, 3.2.4 and 3.3.1. If you are using this package, we encourage you to update as soon as you can and to spread the word so the whole community stays protected. The issues we are addressing include payment status forgery on the payment webhook and a customer data leak through order ID enumeration, both of which can lead to financial loss and privacy exposure for merchants.

Below, we outline the details of each issue, its impact, and the steps you need to take to keep your store safe.

Sylius Mollie Plugin 2.2 and above

Payment Status Forgery via the Payment Webhook

CVE-2026-?: Payment Status Forgery via the Payment Webhook

The original security advisory has been published on GitHub at the Sylius/MolliePlugin repository.

Impact

The payment webhook accepts two independent, user-controlled parameters: the Mollie payment id and the Sylius order id. It never verifies that the payment belongs to the order. An attacker can pay for a single low-value order of their own, take their now-paid Mollie payment id, and replay it against any other order id. The victim’s order is then marked as paid even though no money was received for it. Order ids are sequential and the endpoint requires no authentication, so the attack scales across every pending order, letting an attacker mark unpaid orders as paid and receive goods without payment.

Patches

The issue is fixed in versions 2.2.9, 3.2.5, 3.3.2, and above.

Workarounds

If an immediate upgrade is not possible, decorate the webhook controller to verify that the incoming Mollie payment ID matches the ID stored for the order before applying any status change. See the full workaround in the advisory.

Customer Data Exposure via Order ID Enumeration

CVE-2026-?: Customer Data Exposure via Order ID Enumeration

The original security advisory has been published on GitHub at the Sylius/MolliePlugin repository.

Impact

Two shop endpoints look orders up by a sequential order ID with no ownership check. The thank-you redirect returns the order’s private token in its response, and the QR-code endpoint returns order data outside the customer’s own session. Because that token is the only thing protecting an order, an unauthenticated attacker can enumerate order IDs, obtain each order’s token, and reach the account-registration page pre-filled with the customer’s name and email address, harvesting customer personal data at scale. Malformed requests also trigger an unauthenticated denial-of-service.

Patches

The issue is fixed in versions 2.2.9, 3.2.5, 3.3.2, and above.

Workarounds

If an immediate upgrade is not possible, decorate the QR-code and thank-you controllers to enforce order ownership and to resolve the order from its non-enumerable token instead of the sequential ID. See the full workaround in the advisory.

Still running a pre-Sylius version of the plugin?

Then your store is running unpatched code, and both advisories above describe your installation. The plugin used to be distributed as bitbag/mollie-plugin and later mollie/sylius-plugin. Both packages are abandoned and will never receive these fixes.

In business terms: unpaid orders can be marked as paid, so goods leave your warehouse against money you never received, and customer names and email addresses can be harvested at scale, which is a personal data breach. Both advisories are now public, so the attack descriptions are available to everyone, not only to merchants reading this post.

Hand this to your development team today:

  1. Replace the abandoned package: composer remove bitbag/mollie-plugin (or mollie/sylius-plugin), then composer require sylius/mollie-plugin.
  2. Select the plugin version matching your Sylius version and follow the upgrade notes in the repository.
  3. Update the bundle registration, service prefix, template overrides and namespace references left over from the old package.
  4. Run migrations, rebuild assets, clear the cache, verify a test payment end to end.

For most stores this is an afternoon of developer work. If it cannot happen today, have your team apply the workarounds from both advisories before the day ends. They hold only until the upgrade is complete. Sylius Slack is the fastest place to get unblocked.

Summary

#AdvisorySeverity
1Payment Status Forgery via the Payment WebhookHigh
2Customer Data Exposure via Order ID EnumerationModerate

These fixes concern areas that directly affect the customer journey and store operations, including payment status and order access.

We recommend updating your plugin as soon as you can. Sharing these fixes with others in the community also helps keep the whole ecosystem safer for everyone.

We would like to thank everyone who participated in the responsible disclosure of these vulnerabilities. If you believe you have found a security vulnerability in Sylius, please do not post it publicly. Instead, report it to [email protected].

Share:
Kamil Grygierzec
Kamil started to be interested in programming in 2016, because of the local CoderDojo sessions. He always wanted to be front-end developer, but at the end felt more suitable in back-end. IT technician since childhood, huge IOT enthusiast, occasionally football player and madridista wholeheartedly.
More from our blog
Technical 3 min read 04.12.2024
Here’s everything you had to know about the first major release since 2017! Over 7 years after the first major release, on Nov 12, 2024, we have released Sylius 2.0.0. We had a great opportunity to announce it first at SyliusCon in Lyon, but now, as we are back to… Read More
3 min read 22.11.2024
The emotions start to settle after SyliusCon, and it’s time to reflect on this incredible milestone in our journey. Why a milestone? Because SyliusCon exceeded our expectations in every possible way. We broke attendance records and brought together the key figures of our community, numerous partners, freelancers, and simply all… Read More
Cloud 3 min read 17.06.2024
We are thrilled to announce that we just signed a strategic partnership with Upsun, and as a result, we are extending our offer with Sylius Cloud powered by Upsun. Upsun is a modern Platform-as-a-Service (PaaS) solution that allows businesses to leverage the cloud environment without losing access to the code… Read More
Comments