Versions 2.x.x and earlier of
paypal-ipn are affected by a validation bypass vulnerability.
paypal-ipn uses the
test_ipn parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox.
A motivated attacker could craft a request string using the simulator to fool the application into entering the sandbox mode, potentially allowing purchases without valid payment.
Upgrade to version 3.0.0 or later.