Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-vxpm-8hcp-qh27

GitHub Security Advisory

Payment information sent to PayPal not necessarily identical to created order

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order.

### Patches
The problem has been fixed with version 5.4.4

### Workarounds
Disable the aforementioned payment methods or use the Security Plugin in version >= 1.0.21.

### References
[Shopware blog post](https://news.shopware.com/security-issue-in-paypal-plugin-update-required)

Affected Packages

Packagist swag/paypal
Affected versions: 0 (fixed in 5.4.4)

Related CVEs

CVE-2023-23941

Key Information

GHSA ID
GHSA-vxpm-8hcp-qh27
Published
February 3, 2023 9:07 PM
Last Modified
February 15, 2023 6:38 PM
CVSS Score
7.5 /10
Primary Ecosystem
Packagist
Primary Package
swag/paypal
GitHub Reviewed
✓ Yes

Dataset

Last updated: November 26, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.