CVE-2019-7441

MEDIUM

WooCommerce PayPal Checkout Payment Gateway <1.6.8 - Info Disclosure

Title source: llm

Description

cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state

Exploits (1)

exploitdb WORKING POC

by Vikas Chaudhary · textwebappsphp

https://www.exploit-db.com/exploits/46632

View Code ZIP pw:eip

References (4)

Core 4

Core References

Exploit, Third Party Advisory x_refsource_misc

https://gkaim.com/cve-2019-7441-vikas-chaudhary/

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/46632/

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/152362/WordPress-PayPal-Checkout-Payment-Gateway-1.6.8-Parameter-Tampering.html

Product x_refsource_misc

https://wordpress.org/support/topic/vulnerabilty-in-plugin/#post-11899173

Scores

CVSS v3 6.5

EPSS 0.0170

EPSS Percentile 82.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

Status published

Products (1)

woocommerce/paypal_checkout_payment_gateway 1.6.8

Published Mar 21, 2019

Tracked Since Feb 18, 2026