CVE-2019-14979

MEDIUM

WooCommerce PayPal Checkout Payment Gateway 1.6.17 - Parameter Tampering in Amount Parameter

Title source: llm
STIX 2.1

Description

cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://gkaim.com/cve-2019-14979-vikas-chaudhary/

Scores

CVSS v3 5.3
EPSS 0.0109
EPSS Percentile 61.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-20
Status published
Products (1)
woocommerce/paypal_checkout_payment_gateway 1.6.17
Published Aug 29, 2019
Tracked Since Feb 18, 2026