漏洞速览
- 漏洞编号:
CVE-2026-9284 - 风险评分:
8.2(高危) - 首次披露:2026-05-22
- 最近更新:2026-05-23
- 软件类型:插件
- 软件标识:
woocommerce-paypal-payments - 受影响版本:<= 4.0.1
- 修复版本:4.0.2
- 是否已修复:是
漏洞详情
The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints in all versions up to, and including, 4.0.1. The ppc-create-order endpoint accepts an arbitrary WooCommerce order ID in the pay-now context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The ppc-get-order endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.
影响与风险
- 漏洞类型:Missing Authorization to Unauthenticated Order Manipulation and Information Disclosure
- 风险说明:漏洞可能被利用以执行未授权操作,建议按官方修复方案立即升级并复核安全配置。
- 研究人员:Dmitrii Ignatyev – CleanTalk Inc
修复建议
- 按官方建议执行修复:更新至 4.0.2 或更高已修复版本。
- 复核
administrator/shop manager等高权限账号与角色授权。 - 排查近期插件安装/配置变更记录,确认无异常写入。
- 建议配合 WAF 与登录审计,持续观察可疑请求。
