CVE-2026-9284: CWE-862 Missing Authorization in woocommerce WooCommerce PayPal Payments
The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.
AI Analysis
Technical Summary
The WooCommerce PayPal Payments plugin suffers from missing authorization on the `ppc-create-order` and `ppc-get-order` AJAX endpoints. The `ppc-create-order` endpoint accepts arbitrary WooCommerce order IDs in the 'pay-now' context without validating that the requester owns the order, allowing attackers to create PayPal orders and write metadata to victim orders. The `ppc-get-order` endpoint returns complete PayPal order details for any order ID without verifying the requester's session, enabling attackers to exfiltrate sensitive order data. These flaws combined permit unauthenticated attackers to manipulate other customers' payment processes and access confidential information.
Potential Impact
An attacker can create PayPal orders associated with any WooCommerce order and retrieve full PayPal order details, including payer and shipping information, without authentication. This leads to unauthorized order manipulation and sensitive information disclosure. The vulnerability does not impact availability but compromises confidentiality and partially integrity of order data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected AJAX endpoints if possible and monitor for suspicious activity related to order creation and retrieval. Avoid exposing these endpoints publicly or implement custom authorization checks as a temporary measure.
CVE-2026-9284: CWE-862 Missing Authorization in woocommerce WooCommerce PayPal Payments
Description
The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WooCommerce PayPal Payments plugin suffers from missing authorization on the `ppc-create-order` and `ppc-get-order` AJAX endpoints. The `ppc-create-order` endpoint accepts arbitrary WooCommerce order IDs in the 'pay-now' context without validating that the requester owns the order, allowing attackers to create PayPal orders and write metadata to victim orders. The `ppc-get-order` endpoint returns complete PayPal order details for any order ID without verifying the requester's session, enabling attackers to exfiltrate sensitive order data. These flaws combined permit unauthenticated attackers to manipulate other customers' payment processes and access confidential information.
Potential Impact
An attacker can create PayPal orders associated with any WooCommerce order and retrieve full PayPal order details, including payer and shipping information, without authentication. This leads to unauthorized order manipulation and sensitive information disclosure. The vulnerability does not impact availability but compromises confidentiality and partially integrity of order data.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the affected AJAX endpoints if possible and monitor for suspicious activity related to order creation and retrieval. Avoid exposing these endpoints publicly or implement custom authorization checks as a temporary measure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-05-22T16:04:02.399Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a113444e1370fbb48165c3f
Added to database: 5/23/2026, 4:59:48 AM
Last enriched: 5/23/2026, 5:14:43 AM
Last updated: 5/23/2026, 8:39:12 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.