CVE-2019-14979 — MEDIUM (5.3)

Vulnerability Description

cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Woocommerce	Paypal Checkout Payment Gateway	1.6.17

Related Weaknesses (CWE)

CWE-20

References

https://gkaim.com/cve-2019-14979-vikas-chaudhary/ExploitThird Party Advisory
https://wordpress.org/support/topic/vulnerabilty-in-plugin/#post-11899173
https://gkaim.com/cve-2019-14979-vikas-chaudhary/ExploitThird Party Advisory
https://wordpress.org/support/topic/vulnerabilty-in-plugin/#post-11899173

FAQ

What is CVE-2019-14979?

CVE-2019-14979 is a vulnerability with a CVSS score of 5.3 (MEDIUM). cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchas...

How severe is CVE-2019-14979?

CVE-2019-14979 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-14979?

Check the references section above for vendor advisories and patch information. Affected products include: Woocommerce Paypal Checkout Payment Gateway.