{"id":"CVE-2025-30152","summary":"Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout","details":"The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.","aliases":["GHSA-hxg4-65p5-9w37"],"modified":"2026-04-10T05:24:41.229423Z","published":"2025-03-19T15:57:32.445Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-472"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30152.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30152.json"},{"type":"ADVISORY","url":"https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30152"},{"type":"FIX","url":"https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sylius/paypalplugin","events":[{"introduced":"0"},{"fixed":"5613df827a6d4fc50862229295976200a68e97aa"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.6.2"}]}},{"type":"GIT","repo":"https://github.com/sylius/paypalplugin","events":[{"introduced":"118ff6eddedee6f498c6d6bc27920be685a32287"},{"fixed":"5354ebc571fb4b730468fd05ff24bfbe6c5667ff"}],"database_specific":{"versions":[{"introduced":"1.7.0"},{"fixed":"1.7.2"}]}},{"type":"GIT","repo":"https://github.com/sylius/paypalplugin","events":[{"introduced":"9dcd01a9583731d5f5e7f0c2a8d58248553b5b46"},{"fixed":"063d669f34968c8ff4a72e072842e097b4e6f4d1"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.0.2"}]}}],"versions":["v0.1.0","v0.1.1","v0.2.0","v0.2.1","v0.3.0","v0.3.1","v1.0.0","v1.0.0-BETA.1","v1.0.0-BETA.2","v1.0.0-BETA.3","v1.0.0-BETA.4","v1.0.0-RC.1","v1.0.0-RC.2","v1.0.1","v1.0.2","v1.1.0","v1.1.1","v1.2.0","v1.2.1","v1.2.2","v1.3.0","v1.3.1","v1.5.0","v1.6.0","v1.6.1","v1.7.0","v1.7.1","v2.0.0","v2.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30152.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}