1. Documentation /
  2. PayPal Gateway Vulnerability + Patch - WC

PayPal Gateway Vulnerability + Patch – WC


In older versions of WooCommerce, the PayPal gateway did not check the value returned from IPN. This meant that if someone changed the payment form code during checkout, they could modify the order cost sent to PayPal without affecting the order status after payment. This cost change would be obvious from the PayPal payment notifications, however could go unnoticed. Patching this vulnerability or upgrading to is highly recommended.

Affected version(s)

WooCommerce and below are affected. This issue was patched in

Affected file(s)

woocommerce / classes / gateways / paypal / class-wc-paypal.php

Manual Patch

On line 608 of the paypal gateway, the following check needs to be added to prevent the issue:
// Validate Amount
				    if ( $order->get_total() != $posted['mc_gross'] ) {

				    	if ( $this->debug == 'yes' )
				    		$this->log->add( 'paypal', 'Payment error: Amounts do not match (gross ' . $posted['mc_gross'] . ')' );

				    	// Put this order on-hold for manual checking
				    	$order->update_status( 'on-hold', sprintf( __( 'Validation error: PayPal amounts do not match (gross %s).', 'woocommerce' ), $posted['mc_gross'] ) );