Severity: critical

Validation Bypass



Versions 2.x.x and earlier of paypal-ipn are affected by a validation bypass vulnerability.

paypal-ipn uses the test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.

A motivated attacker could craft a request string using the simulator to fool the application into entering the sandbox mode, potentially allowing purchases without valid payment.


Upgrade to version 3.0.0 or later.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Dec 3rd, 2014
  2. reported

    Initial report by Martin Angelov
    Oct 17th, 2015