WooCommerce PayPal Payments Missing Authorization to Unauthenticated Order Manipulation (CVE-2026-9284)

Vulnerability Overview Vulnerability Name: WooCommerce PayPal Payments <= 4.0.1 - Missing Authorization to Unauthenticated Order Manipulation and Information Disclosure CVE ID: CVE-2026-9284 CVSS Score: 8.2 (High) Published Date: May 22, 2026 Last Updated Date: May 23, 2026 Researcher: Dmitrii Ignatyev - CleanTalk Inc Impact Scope Affected Versions: WooCommerce PayPal Payments <= 4.0.1 Vulnerability Description: The WooCommerce PayPal Payments plugin contains a vulnerability allowing unauthorized order manipulation and information disclosure. Attackers can create arbitrary orders and write PayPal metadata without verifying order ownership. Additionally, the endpoint returns complete PayPal order details, enabling attackers to manipulate other customers' order processes and extract sensitive order details (such as payment information, shipping data). Remediation Fixed Version: Update to version 4.0.2 or a later patched version Additional Information Software Type: Plugin Software Slug: woocommerce-paypal-payments Patched: Yes Patch Version: 4.0.2 Recent Related Vulnerabilities Vulnerability Title: WooCommerce PayPal Payments <= 2.0.4 - Cross-Site Request Forgery CVE ID: CVE-2023-35917 CVSS Score: 4.3 Researcher: Rafie Muhammad Published Date: June 20, 2023 Reference Links plugins.trac.wordpress.org Share Options Facebook X (Twitter) LinkedIn Email Disclaimer This record contains copyrighted material provided by Defiant Inc and THE MITRE Corporation. Contact Information For errors or to add information, please contact: wfsupport@wordfence.com Business Hours 9am-8pm ET, 6am-5pm PT, 2pm-1am UTC/GMT (excluding weekends and holidays) 24/7 customer support, 365 days a year, with a 1-hour response time Additional Links Terms of Service Privacy Policy and Notice Collection Do Not Sell or Share My Personal Information Social Media Twitter Facebook YouTube Instagram Products and Support Wordfence Free Wordfence Premium Wordfence Care Wordfence Response Wordfence CLI Wordfence Intelligence Wordfence Central News Blog In The News Vulnerability Advisories About About Wordfence Affiliate Program Employment Contact Security CVE Request Form Subscribe Subscribe to news and updates Email input field Agree to terms and privacy policy checkbox Register button Copyright © 2012-2026 Defiant Inc. All Rights Reserved

Goal Reached Thanks to every supporter — we hit 100%!

WooCommerce PayPal Payments Missing Authorization to Unauthenticated Order Manipulation (CVE-2026-9284)

More from this source