PayPal Integration Flaw Exposes Shopware Orders

CVECVE-2023-23941
CVSScvssV3_1: 7.5
SourceCVE-2023-23941

Shopware is an open source e-commerce platform used by many online stores. It allows merchants to integrate popular payment gateways like PayPal to accept payments.

A vulnerability was discovered in the PayPal integration plugin for Shopware called SwagPayPal. The issue was that the item and payment details sent to PayPal during checkout may not have matched what was recorded in the Shopware order.

This could allow a malicious person to alter the payment amount or items in transit between the store and PayPal without the merchant’s knowledge. They may be able to pay less than the actual order total or remove high-value items.

The plugin developers have released an update fixing the synchronization problem. Store owners using SwagPayPal should update to the latest version 5.4.4 or higher to patch the vulnerability.

As an interim measure, merchants can also disable JavaScript-based PayPal payment options like PayPal Plus or Smart Payment Buttons that are affected. Alternatively, make sure to have the Security plugin installed at version 1.0.21 or higher for Shopware to help prevent payment data tampering.

It is important for online retailers to always keep their e-commerce software and plugins up-to-date to protect against bugs or vulnerabilities that could impact the security of customer payments and orders.

References