WordPress Security Bulletin: Payment Button for PayPal Plugin Vulnerability (CVE-2025-14463)

On this page

Security Alert Summary

The Payment Button for PayPal plugin for WordPress contains an unauthenticated order-creation vulnerability that allows remote actors to submit POST requests to a public AJAX endpoint and create arbitrary orders without server-side verification of the PayPal transaction. The issue can also trigger outgoing purchase receipt emails and corrupt order records if email sending is enabled.

CVE Details

  • CVE ID: CVE-2025-14463
  • Affected plugin / component: The Payment Button for PayPal plugin for WordPress
  • Affected versions: All versions up to, and including, 1.2.3.41
  • Published: January 17, 2026 at 4:16:07 AM UTC
  • Last modified: January 17, 2026 at 4:16:07 AM UTC
  • CVSS v3.1: Base Score 5.3, Severity MEDIUM
    Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    Attack Vector: NETWORK, Attack Complexity: LOW, Privileges Required: NONE, User Interaction: NONE, Scope: UNCHANGED
  • Authentication / Privileges / User interaction: No authentication required; no privileges required; no user interaction required (as reported in CVSS data)
  • Primary impact: Integrity: LOW; Confidentiality: NONE; Availability: NONE
  • CWE / Weakness ID: CWE-862

Technical Details

According to the CVE description, the plugin exposes a public AJAX endpoint named wppaypalcheckout_ajax_process_order that processes checkout results without any authentication or server-side verification of the PayPal transaction. Because the endpoint accepts direct POST requests and does not verify that the supplied transaction ID or payment status corresponds to a validated PayPal transaction, an unauthenticated actor can submit arbitrary order data (transaction ID, payment status, product name, amount, customer information) and have the plugin record it as an order.

The lack of server-side verification and missing authentication checks are the root cause: the endpoint processes supplied checkout results directly rather than validating them with PayPal or enforcing permission checks. The CVE notes that if email sending is enabled, the plugin will send purchase receipt emails to any email address supplied in the request, and that order database corruption can occur because created orders are not backed by real payment confirmations.

How This Could Impact Your Website

In a typical scenario, a site owner or store manager may rely on the plugin to record completed PayPal purchases and notify customers. An external attacker could submit crafted POST requests to the exposed AJAX endpoint to create fake orders that appear in the site’s order management interface. Internal staff or contractors reviewing orders could see these entries and follow up, and customers or external contributors could receive unsolicited receipt emails if attacker-supplied addresses are used.

Practical consequences include exposure of internal or customer email addresses (if attacker-supplied emails are stored or used), increased risk of targeted phishing or social engineering based on fabricated purchase activity, and corruption or inflation of order records that complicate reconciliation and reporting. If your site relies on automated workflows triggered by orders, those workflows could be invoked by falsified orders.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Temporarily disable the plugin or its checkout functionality if you cannot immediately confirm it has been patched.
  • Review and reduce unnecessary user roles, especially contributor-level accounts and other accounts with write permissions.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce your attack surface.
  • Monitor site activity and order records for unusual behavior, such as unexpected spikes in orders or suspicious customer email addresses.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References