Vulnerability Description
The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a6
- https://github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37
FAQ
What is CVE-2025-30152?
CVE-2025-30152 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart afte...
How severe is CVE-2025-30152?
CVE-2025-30152 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-30152?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.