swag/paypal is vulnerable to Insufficient Verification Of Data Authenticity. When the JavaScript-based PayPal checkout methods (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card) are used the amount and item list sent to PayPal may not be identical to the one in the created order.
github.com/shopware/SwagPayPal/commit/411282365ee28de0138dad149a775af808923c9f
github.com/shopware/SwagPayPal/commit/56e63f93e5009b194e8d419ae08337dbd41ac546
github.com/shopware/SwagPayPal/commit/57db5f4a57ef0a1646b509b415de9f03bf441b08
github.com/shopware/SwagPayPal/security/advisories/GHSA-vxpm-8hcp-qh27
news.shopware.com/security-issue-in-paypal-plugin-update-required