Security readout for executives and security teams
Plain-English summary
This CVE concerns payment amount tampering in a WordPress WooCommerce PayPal Checkout plugin flow. The key business risk is attempted underpayment, but the source bundle says WooCommerce validates the PayPal amount against the order total and leaves mismatches On Hold rather than completing the order.
Executive priority
Treat this as a fraud-control and order-integrity issue, not evidence of site takeover. Prioritize stores that automatically fulfill digital or physical goods before manual payment reconciliation.
Technical view
CVE-2019-14979 describes manipulation of PayPal cart amount parameters in WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17. The cited note says the PayPal flow amount can be changed, but completion checks the WooCommerce order total and blocks mismatch completion by leaving the order On Hold.
Likely exposure
Exposure is most relevant to WordPress stores using WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 with PayPal checkout enabled. The bundle does not establish broader affected versions or products.
Exploitation context
The source bundle describes parameter tampering that could attempt to pay less than the intended price. There is no KEV listing and no cited evidence of active exploitation in the provided sources.
Researcher notes
Evidence is limited. The CVE states parameter tampering is possible, while the plugin author says WooCommerce order-total validation prevents completion on mismatch. No CVSS, CWE, KEV entry, or source-provided patch details are included in the bundle.
Mitigation direction
- Check whether WooCommerce PayPal Checkout Payment Gateway 1.6.17 is installed.
- Review vendor and WordPress support guidance for fixed or recommended plugin versions.
- Ensure mismatched payment totals keep orders On Hold before fulfillment.
- Reconcile PayPal payment amounts against WooCommerce order totals.
- Review On Hold orders for suspicious payment mismatches.
Validation and detection
- Inventory WordPress sites using the named plugin and version.
- Confirm PayPal transaction totals match WooCommerce order totals.
- Verify fulfillment workflows do not ship On Hold orders automatically.
- Review order notes and payment logs for mismatch handling.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2019-14979 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://gkaim.com/cve-2019-14979-vikas-chaudhary/CVE reference · x_refsource_MISC
- https://wordpress.org/support/topic/vulnerabilty-in-plugin/#post-11899173CVE reference · x_refsource_MISC
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
