{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/woocommerce-paypal-payments-plugin--4.0.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-9284"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["WooCommerce PayPal Payments plugin \u003c= 4.0.1"],"_cs_severities":["high"],"_cs_tags":["woocommerce","wordpress","paypal","authorization-bypass","information-disclosure"],"_cs_type":"advisory","_cs_vendors":["WooCommerce"],"content_html":"\u003cp\u003eThe WooCommerce PayPal Payments plugin for WordPress, in versions up to and including 4.0.1, contains a vulnerability (CVE-2026-9284) that allows for unauthorized order manipulation and information disclosure. The vulnerability stems from missing authorization checks on the \u003ccode\u003eppc-create-order\u003c/code\u003e and \u003ccode\u003eppc-get-order\u003c/code\u003e WC-AJAX endpoints. By exploiting these missing checks, an attacker can create PayPal orders for arbitrary WooCommerce orders and retrieve PayPal order details without proper authorization. This can lead to attackers manipulating other customers\u0026rsquo; order payment flows and exfiltrating sensitive order details.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a target WooCommerce store using the vulnerable plugin (version \u0026lt;= 4.0.1).\u003c/li\u003e\n\u003cli\u003eThe attacker discovers a valid WooCommerce order ID belonging to another customer.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted request to the \u003ccode\u003eppc-create-order\u003c/code\u003e WC-AJAX endpoint, specifying the victim\u0026rsquo;s WooCommerce order ID in the \u003ccode\u003epay-now\u003c/code\u003e context. The plugin does not validate order ownership, allowing the attacker to associate a new PayPal order with the victim\u0026rsquo;s WooCommerce order.\u003c/li\u003e\n\u003cli\u003eThe plugin creates a new PayPal order linked to the victim\u0026rsquo;s WooCommerce order, and writes PayPal metadata to it.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains the PayPal order ID associated with the victim\u0026rsquo;s order.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the \u003ccode\u003eppc-get-order\u003c/code\u003e WC-AJAX endpoint, specifying the PayPal order ID.\u003c/li\u003e\n\u003cli\u003eThe plugin returns full PayPal order details, including payer information and shipping data, without validating the requester\u0026rsquo;s session.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the sensitive order details, including payer information and shipping data. The attacker could also attempt to modify shipping information, potentially diverting the order.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to manipulate the payment flows of other customers\u0026rsquo; orders within a WooCommerce store. This includes the potential for exfiltrating sensitive order details such as payer information and shipping data. Attackers could also modify order details, potentially diverting shipments or causing financial harm to both the store owner and their customers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the WooCommerce PayPal Payments plugin to the latest version, which contains a patch for CVE-2026-9284.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003eppc-create-order\u003c/code\u003e and \u003ccode\u003eppc-get-order\u003c/code\u003e WC-AJAX endpoints (see Sigma rule \u0026ldquo;Detect CVE-2026-9284 Exploitation — Unauthorized Access to WooCommerce PayPal Endpoints\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the \u003ccode\u003eppc-create-order\u003c/code\u003e and \u003ccode\u003eppc-get-order\u003c/code\u003e endpoints to mitigate potential abuse.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T13:34:35Z","date_published":"2026-05-26T13:34:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-woocommerce-paypal-auth-bypass/","summary":"The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on WC-AJAX endpoints, allowing attackers to manipulate order payment flows and exfiltrate sensitive order details (CVE-2026-9284).","title":"WooCommerce PayPal Payments Plugin Vulnerable to Order Manipulation and Information Disclosure (CVE-2026-9284)","url":"https://feed.craftedsignal.io/briefs/2026-05-woocommerce-paypal-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — WooCommerce PayPal Payments Plugin \u003c= 4.0.1","version":"https://jsonfeed.org/version/1.1"}