CVE-2025-30152

Summary

The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.

Affected Software

VendorProductVersion RangeStatus
SyliusPayPalPlugin< 1.6.2affected
SyliusPayPalPlugin>= 1.7.0, < 1.7.2affected
SyliusPayPalPlugin>= 2.0.0, < 2.0.2affected

Weaknesses

  • CWE-472: CWE-472: External Control of Assumed-Immutable Web Parameter

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References