WordPress.org

Ready to get started?Download WordPress

Plugin Reviews

WordPress Simple Paypal Shopping Cart

Very easy to use Simple WordPress Paypal Shopping Cart Plugin. Great for selling products online in one click from your WordPress site.

5 reviews
Average Rating
4 stars
4.3 out of 5 stars
You are currently viewing the reviews that provided a rating of 4 stars. Click here to see all reviews.
4 stars
Security considerations when selling digital goods
By , for WP 3.9

Hello.

I'm using this plugin standalone on my wordpress site to sell software licenses. Maybe this plugin is valid for manual sales but It's insecure and I want to share my findings.

If you manually check transactions at paypal before sending items, or have additional fraud controls you are safe, so ignore my comments :)

By default you are exposed to several fraud risks if you use this plugin to sell digital goods that should be considered.

1- eCommerce impersonation: business paypal address are not valided by default. Therefore someone could resend you other ecommerce valid IPN notification and trigger actions one your system.

as a quick fix por paypal.php code:

$business = $this->ipn_data['business'];
if ($business != 'ecommerce@yoursite.com' ) {
$this->debug_log('INVALID IPN: unknown business: '.$business,true);
die();
}

I've implemented somo functions to generate software licenses once the IPN is validated however there are some more security considerations:

2 - IPNs can be send several times by an attacker. Be careful and check if paypal transaction ID was already used ( $txn_id ). Unless you check it you are going to sell items or generate licenses more than once for the same payment.

3- Prices are not validated: An user can intercept the request generated by the browser and modify the product price before it reaches paypal, because its not using certificate keys. An attacker can set a price of 0.1$ for example.
Your payment will succeed in the same way as the transaction (IPN) validation once it reaches your wordpress site, because the transaction is valid and was generated from paypal (the only problem is that paypal doesn't know which price is the real one.)
Double check your price at $current_cart_item['price'] for your cart or mc_gross when paying with a paypal button.

Regards,

Andres Tarasco

4 stars
Great Pluggin
By , for WP 3.6

Works great, easy to use

4 stars
Almost 5 stars!
By , for WP 3.5.1

If there were something that showed the customer that their shipping became free at a certain value, I would go from 4 to 5 stars. Other than that, it is a fantastic tool.

4 stars
Works for me
By , for WP 3.4.2

We only offer three items on our site and it is works for our needs. It's simple. I don't know how it would work for a really busy site.

4 stars
Almost work perfectly
By , for WP 3.4.2

there is a little couple of glitches but nothing serious.
like a empty cart is not displaying

You must log in to submit a review. You can also log in or register using the form near the top of this page.