In the module "PayPal Official" for PrestaShop 7+ release <= 6.4.1 and for PrestaShop 1.6 release <= 3.18.0, a malicious customer can confirm as "payment accepted" an order even if payment is finally declined by PayPal.
A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order.
Possible malicious usage
- Confirm order with a fraudulent payment support
Recommendations
- Upgrade PayPal up to 6.4.2 or 3.18.1 according to your PrestaShop version.
- Enable webhooks and check they are callable
Timeline
Date |
Action |
2024-07-15 |
Issue discovered in a support ticket |
2024-07-17 |
202 ecomemrce inform PayPal of a suspicious transaction |
2024-07-22 |
Logical weakness confirmed in a testing environment |
2024-07-25 |
Publication of this advisory with releases patch |
In the module "PayPal Official" for PrestaShop 7+ release <= 6.4.1 and for PrestaShop 1.6 release <= 3.18.0, a malicious customer can confirm as "payment accepted" an order even if payment is finally declined by PayPal.
A logical weakness during the capture of a payment in case of disabled webhooks can be exploited to create an accepted order.
Possible malicious usage
Recommendations
Timeline