CVE-2025-29788

Summary

CVE-2025-29788 is a vulnerability affecting the Sylius PayPal Plugin, which is used for integrating PayPal Commerce Platform with Sylius. Versions prior to 1.6.1, 1.7.1, and 2.0.1 are susceptible to manipulation of the final payment amount during the PayPal Express Checkout process. By modifying the item quantity in their shopping cart after initiation, users can cause PayPal to capture an inaccurate payment amount. Consequently, Sylius considers the order fully paid based on the altered total, potentially leading to financial losses for businesses and compromised payment processing integrity. Attackers can intentionally pay less than the actual order value, while businesses may suffer losses due to underpaid orders. The issue is resolved in versions 1.6.1, 1.7.1, 2.0.1, and above. To mitigate the vulnerability without updating, modify the logic of `ProcessPayPalOrderAction`, `CompletePayPalOrderFromPaymentPageAction`, and `CaptureAction` in the end application.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.