HIGH
woocommerce
CVE published 2026-05-23
CVE-2026-9284
The WooCommerce PayPal Payments plugin for WordPress contains missing authorization checks on two WC-AJAX endpoints (`ppc-create-order` and `ppc-get-order`) in versions up to and including 4.0.1. The `ppc-create-order` endpoint accepts arbitrary WooCommerce order IDs in the `pay-now` context without validating order ownership, allowing unauthenticated attackers to create PayPal orders for any WC order and [truncated]