CVE-2025-14463 affects the Payment Button for PayPal plugin for WordPress, versions up to and including 1.2.3.41. The vulnerability stems from a publicly accessible AJAX endpoint named `wppaypalcheckout_ajax_process_order` that processes checkout results without any authentication or server-side validation of the PayPal transaction. This lack of authorization (CWE-862) allows unauthenticated attackers to craft POST requests with arbitrary parameters such as transaction ID, payment status, product name, amount, and customer information. Because the plugin does not verify the legitimacy of these transactions with PayPal, attackers can create fake orders that corrupt the order database and trigger purchase receipt emails to any supplied email address if email notifications are enabled. This can lead to unauthorized outgoing emails, potentially facilitating phishing or spam campaigns, and undermines the integrity of the e-commerce system. The vulnerability requires no privileges or user interaction and can be exploited remotely over the network. The CVSS 3.1 base score is 5.3 (medium), reflecting the lack of confidentiality or availability impact but a clear integrity impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was reserved in December 2025 and published in January 2026 by Wordfence.

For European organizations using WordPress sites with the Payment Button for PayPal plugin, this vulnerability can lead to significant integrity issues in their e-commerce order databases. Attackers can inject fraudulent orders, causing financial reconciliation problems and operational disruptions. The unauthorized sending of purchase receipt emails can damage customer trust, lead to reputational harm, and potentially expose organizations to regulatory scrutiny under GDPR if personal data is mishandled or abused. Additionally, the ability to send arbitrary emails could be leveraged for phishing or social engineering attacks targeting customers or employees. While the vulnerability does not directly impact confidentiality or availability, the indirect effects on business processes and customer relationships can be substantial. Organizations relying on automated order processing and email notifications are particularly vulnerable. The lack of authentication and server-side verification means the attack surface is broad, and exploitation can be automated at scale.

European organizations should immediately assess whether they use the Payment Button for PayPal plugin on their WordPress sites and identify the plugin version. If the plugin is in use, the primary mitigation is to disable or uninstall the plugin until a patched version is released. If disabling is not feasible, restrict access to the vulnerable AJAX endpoint (`wppaypalcheckout_ajax_process_order`) by implementing web application firewall (WAF) rules or server-level access controls to allow only trusted IP addresses or authenticated users. Implement server-side validation of PayPal transactions by integrating PayPal's IPN (Instant Payment Notification) or API verification to confirm transaction authenticity before processing orders. Monitor order creation logs for unusual patterns such as a high volume of orders from single IPs or suspicious transaction IDs. Disable email notifications for purchases temporarily to prevent unauthorized emails from being sent. Finally, keep WordPress core and all plugins updated and subscribe to vendor advisories for timely patch releases.