CVE-2025-30152

Published: Mar 19, 2025

Modified: Mar 19, 2025

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.

Vendor	Product	Versions
Sylius	PayPalPlugin	affected `< 1.6.2` affected `>= 1.7.0, < 1.7.2` affected `>= 2.0.0, < 2.0.2`

Weaknesses (CWE)

CWE-472

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37

x_refsource_CONFIRM

https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-30152

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References