CVE-2025-30152

MEDIUM

Sylius PayPal Plugin <2.0.2 - Info Disclosure

Title source: llm

Description

The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.

References (2)

[Vendor Advisory] https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37

[Patch] https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa

View Patch ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0032

EPSS Percentile 55.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-472

Status published

Products (4)

sylius/paypal-plugin 0 - 1.6.2Packagist

Sylius/PayPalPlugin < 1.6.2

Sylius/PayPalPlugin >= 1.7.0, < 1.7.2

Sylius/PayPalPlugin >= 2.0.0, < 2.0.2

Published Mar 19, 2025

Tracked Since Feb 18, 2026