
A couple of days ago we had a $1000 sale on our 2.3.0.2 site though PP standard.. Great! Then a routine check of our PP account we discovered the buyer had only paid PP $23 for the $1000 item WTF?? Fortunately we hadn't sent it. It was still on the back of the couriers van. We contacted PP and this was the response:
Back in 2015, PayPal was alerted of a vulnerability that affect OpenCart v1.5 carts. Essentially at the checkout page, the buyer can open a HTML coding path and change the amount of the product. Both PayPal and OpenCart alerted people at the time, but obviously many years have passed since then.
I don’t know what version of OpenCart you have but here is a link that discussed that event, and a potential quick fix for you. This is all done from OpenCart’s site as they are the ones that had the vulnerability: https://www.antropy.co.uk/blog/paypal-s ... art-1-5-x/
Anyway it seems its still an issue with 2.3.0.2. and hopefully no longer a problem with 3.0.3.0 which we are soon upgrading to. If you are still using PP Standard don't, move to PP Express as it has better security so they tell us.