CVE-2025-30152

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-30152
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30152.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-30152
Aliases
Published
2025-03-19T15:57:32.445Z
Modified
2025-12-05T08:54:13.597817Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout
Details

The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. Prior to 1.6.2, 1.7.2, and 2.0.2, a discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment. The issue is fixed in versions: 1.6.2, 1.7.2, 2.0.2 and above.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30152.json",
    "cwe_ids": [
        "CWE-472"
    ]
}
References

Affected packages

Git / github.com/sylius/paypalplugin

Affected ranges

Type
GIT
Repo
https://github.com/sylius/paypalplugin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5613df827a6d4fc50862229295976200a68e97aa
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.6.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/paypalplugin
Events
Introduced
118ff6eddedee6f498c6d6bc27920be685a32287
Fixed
5354ebc571fb4b730468fd05ff24bfbe6c5667ff
Database specific 
{
    "versions": [
        {
            "introduced": "1.7.0"
        },
        {
            "fixed": "1.7.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/sylius/paypalplugin
Events
Introduced
9dcd01a9583731d5f5e7f0c2a8d58248553b5b46
Fixed
063d669f34968c8ff4a72e072842e097b4e6f4d1
Database specific 
{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.2"
        }
    ]
}

Affected versions

v0.*

v0.1.0
v0.1.1
v0.2.0
v0.2.1
v0.3.0
v0.3.1

v1.*

v1.0.0
v1.0.0-BETA.1
v1.0.0-BETA.2
v1.0.0-BETA.3
v1.0.0-BETA.4
v1.0.0-RC.1
v1.0.0-RC.2
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.4.1
v1.4.2
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.7.2

v2.*

v2.0.0
v2.0.1