CVE-2025-29788
📋 TL;DR
The Sylius PayPal Plugin vulnerability allows users to manipulate payment amounts by changing cart quantities after initiating PayPal checkout. PayPal captures the original lower amount while Sylius incorrectly marks the order as fully paid at the higher amount. This affects all Sylius e-commerce sites using vulnerable PayPal Plugin versions.
💻 Affected Systems
- Sylius PayPal Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers systematically underpay for high-value orders, causing significant financial losses to merchants through payment fraud.
Likely Case
Customers accidentally or intentionally pay less than actual order totals, resulting in revenue loss and order fulfillment issues.
If Mitigated
With proper controls, transactions are validated before completion, preventing payment discrepancies.
🎯 Exploit Status
Simple manipulation of cart quantities during checkout flow. No special tools required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.1, 1.7.1, or 2.0.1 depending on your major version
Vendor Advisory: https://github.com/Sylius/PayPalPlugin/releases
Restart Required: No
Instructions:
1. Identify your current PayPal Plugin version. 2. Update to the patched version matching your major release: 1.x.x → 1.6.1/1.7.1, 2.x.x → 2.0.1. 3. Run composer update sylius/paypal-plugin. 4. Clear cache and test checkout flow.
🔧 Temporary Workarounds
Override vulnerable actions
allManually override ProcessPayPalOrderAction, CompletePayPalOrderFromPaymentPageAction, and CaptureAction with validation logic
Override classes in your application with validation that compares PayPal capture amount with Sylius order total
🧯 If You Can't Patch
- Disable PayPal Express Checkout and use alternative payment methods
- Implement post-payment validation to compare PayPal transaction amounts with order totals before order fulfillment
🔍 How to Verify
Check if Vulnerable:
Check composer.json for sylius/paypal-plugin version. If version is <1.6.1 for 1.x, <1.7.1 for 1.7.x, or <2.0.1 for 2.x, you are vulnerable.Check Version:
composer show sylius/paypal-plugin | grep versionsVerify Fix Applied:
After update, test checkout flow: modify cart quantity during PayPal process and verify final captured amount matches actual order total.📡 Detection & Monitoring
Log Indicators:
- Discrepancies between PayPal capture amounts and Sylius order totals
- Order status changes to 'paid' with payment amounts lower than order value
Network Indicators:
- PayPal webhook calls with amount mismatches
- Multiple cart modification requests during single checkout
SIEM Query:
Search for: (payment_amount < order_total) AND (status='paid') in order/payment logs🔗 References
- https://github.com/Sylius/PayPalPlugin/commit/31e71b0457e5d887a6c19f8cfabb8b16125ec406
- https://github.com/Sylius/PayPalPlugin/commit/8a81258f965b7860d4bccb52942e4c5b53e6774d
- https://github.com/Sylius/PayPalPlugin/releases/tag/v1.6.1
- https://github.com/Sylius/PayPalPlugin/releases/tag/v1.7.1
- https://github.com/Sylius/PayPalPlugin/releases/tag/v2.0.1
- https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-pqq3-q84h-pj6x
