CVE-2025-30152: Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout

March 19, 2025 (updated March 20, 2025)

A discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the cart contents before finalizing the order. As a result, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to a scenario where merchants deliver products or services without full payment.

References

github.com/Sylius/PayPalPlugin
github.com/Sylius/PayPalPlugin/commit/5613df827a6d4fc50862229295976200a68e97aa
github.com/Sylius/PayPalPlugin/security/advisories/GHSA-hxg4-65p5-9w37
github.com/advisories/GHSA-hxg4-65p5-9w37
nvd.nist.gov/vuln/detail/CVE-2025-30152

Detect and mitigate CVE-2025-30152 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →