CVE-2025-30152: 
PHP vulnerability analysis and mitigation

The Sylius PayPal Plugin, developed by the Sylius Core Team for the PayPal Commerce Platform, contains a vulnerability that affects versions prior to 1.6.2, 1.7.2, and 2.0.2. The vulnerability was discovered and disclosed on March 19, 2025, allowing users to modify their shopping cart contents after completing the PayPal Checkout process and payment authorization (GitHub Advisory).

The vulnerability is classified with a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The issue is identified as CWE-472 (External Control of Assumed-Immutable Web Parameter). The vulnerability occurs when users can manipulate their cart contents on the order summary page after initiating a PayPal transaction from either a product page or the cart page, but before finalizing the order (GitHub Advisory).

The vulnerability allows users to receive products or services without paying the full amount, potentially causing financial losses for merchants. When exploited, the order amount in Sylius may be higher than the amount actually captured by PayPal, leading to scenarios where merchants deliver products or services without receiving full payment. This also compromises the integrity of the payment process (GitHub Advisory).

The issue has been fixed in versions 1.6.2, 1.7.2, 2.0.2 and above. For users unable to update to the newest patches, a workaround is available that involves overwriting the PayPalOrderCompleteProcessor with modified logic and implementing additional changes to the CompletePayPalOrderListener and CaptureAction components. The workaround includes specific code implementations and service configurations for both PayPal 1.x and 2.x versions (GitHub Advisory).