LiveActive security incident?Get immediate response
CVE Record

CVE-2019-14979: cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress all...

cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This CVE concerns payment amount tampering in a WordPress WooCommerce PayPal Checkout plugin flow. The key business risk is attempted underpayment, but the source bundle says WooCommerce validates the PayPal amount against the order total and leaves mismatches On Hold rather than completing the order.

Executive priority

Treat this as a fraud-control and order-integrity issue, not evidence of site takeover. Prioritize stores that automatically fulfill digital or physical goods before manual payment reconciliation.

Technical view

CVE-2019-14979 describes manipulation of PayPal cart amount parameters in WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17. The cited note says the PayPal flow amount can be changed, but completion checks the WooCommerce order total and blocks mismatch completion by leaving the order On Hold.

Likely exposure

Exposure is most relevant to WordPress stores using WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 with PayPal checkout enabled. The bundle does not establish broader affected versions or products.

Exploitation context

The source bundle describes parameter tampering that could attempt to pay less than the intended price. There is no KEV listing and no cited evidence of active exploitation in the provided sources.

Researcher notes

Evidence is limited. The CVE states parameter tampering is possible, while the plugin author says WooCommerce order-total validation prevents completion on mismatch. No CVSS, CWE, KEV entry, or source-provided patch details are included in the bundle.

Mitigation direction

  • Check whether WooCommerce PayPal Checkout Payment Gateway 1.6.17 is installed.
  • Review vendor and WordPress support guidance for fixed or recommended plugin versions.
  • Ensure mismatched payment totals keep orders On Hold before fulfillment.
  • Reconcile PayPal payment amounts against WooCommerce order totals.
  • Review On Hold orders for suspicious payment mismatches.

Validation and detection

  • Inventory WordPress sites using the named plugin and version.
  • Confirm PayPal transaction totals match WooCommerce order totals.
  • Verify fulfillment workflows do not ship On Hold orders automatically.
  • Review order notes and payment logs for mismatch handling.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2019-14979 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.