Client-Side Enforcement of Server-Side Security

CVE-2025-7820

High

7.5/10

Summary

The SKT PayPal for WooCommerce plugin for WordPress is vulnerable to Payment Bypass in all versions up to, and including, 1.4. This is due to the plugin only enforcing client side controls instead of server-side controls when processing payments. This makes it possible for unauthenticated attackers to make confirmed purchases without actually paying for them.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-602 - Client-Side Enforcement of Server-Side Security

The software is composed of a server that relies on the client to implement a mechanism that is intended to protect the server.

References

Advisory Timeline

Published Nov 27, 2025

Client-Side Enforcement of Server-Side Security

CVE-2025-7820

Summary

CWE-602 - Client-Side Enforcement of Server-Side Security

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS