1. Home
  2. Vulnerabilities
  3. CVE-2026-9284
0.0
NA
CVE-2026-9284
WooCommerce PayPal Payments <= 4.0.1 - Missing Authorization to Unauthenticated Order Manipulation and Information Disclosure
Overview
Description

The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.

Details
INFO

Published Date :

May 23, 2026, 4:27 a.m.

Last Modified :

May 23, 2026, 4:27 a.m.

Remotely Exploit :

No

Source :

Wordfence
Impact
Affected Products

The following products are affected by CVE-2026-9284 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

: Total Affected Vendor : 0 | Products : 0
Solution
Update the WooCommerce PayPal Payments plugin to a version that addresses authorization bypass vulnerabilities.
  • Update the WooCommerce PayPal Payments plugin immediately.
  • Verify plugin version is 4.0.2 or later.
  • Review access controls for WC-AJAX endpoints.
  • Monitor for unauthorized order modifications.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-9284 vulnerability anywhere in the article.

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-9284 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by [email protected]

    May. 23, 2026

    Action Type Old Value New Value
    Added Description The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
    Added CWE CWE-862
    Added Reference https://plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/tags/3.3.2/modules/ppcp-button/src/Endpoint/CreateOrderEndpoint.php#L249
    Added Reference https://plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/tags/3.3.2/modules/ppcp-button/src/Endpoint/GetOrderEndpoint.php#L44
    Added Reference https://plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/trunk/modules/ppcp-button/src/Endpoint/CreateOrderEndpoint.php#L249
    Added Reference https://plugins.trac.wordpress.org/browser/woocommerce-paypal-payments/trunk/modules/ppcp-button/src/Endpoint/GetOrderEndpoint.php#L44
    Added Reference https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3497597%40woocommerce-paypal-payments&new=3497597%40woocommerce-paypal-payments&sfp_email=&sfph_mail=
    Added Reference https://www.wordfence.com/threat-intel/vulnerabilities/id/d5fa3282-b3be-4ea1-9865-011dea828a25?source=cve
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CVSS
Vulnerability Scoring Details
No CVSS metrics available for this vulnerability.