Description

In older versions of WooCommerce, the PayPal gateway did not check the value returned from IPN. This meant that if someone changed the payment form code during checkout, they could modify the order cost sent to PayPal without affecting the order status after payment. This cost change would be obvious from the PayPal payment notifications, however could go unnoticed.

Patching this vulnerability or upgrading to 1.6.5.2 is highly recommended.

Affected version(s)

WooCommerce 1.6.5.1 and below are affected. This issue was patched in 1.6.5.2.

Affected file(s)

woocommerce / classes / gateways / paypal / class-wc-paypal.php

Manual Patch

On line 608 of the paypal gateway, the following check needs to be added to prevent the issue:

// Validate Amount
    if ( $order->get_total() != $posted['mc_gross'] ) {

    if ( $this->debug == 'yes' )
    $this->log->add( 'paypal', 'Payment error: Amounts do not match (gross ' . $posted['mc_gross'] . ')' );

    // Put this order on-hold for manual checking
    $order->update_status( 'on-hold', sprintf( __( 'Validation error: PayPal amounts do not match (gross %s).', 'woocommerce' ), $posted['mc_gross'] ) );

    exit;
    }