Fixed a bug where a negative payment amount could be set on an order (GHSA-78vr-q6cf-c7p6)

Author: lukeholder

CHANGELOG.md

@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Cart requests that include a `couponCode` param are now rate-limited. (GHSA-h5gm-x9wr-vhcm)
+- Fixed a bug where a negative payment amount could be set on an order. (GHSA-78vr-q6cf-c7p6)
 
 ## 4.11.1 - 2026-04-30
 

src/elements/Order.php

@@ -2449,14 +2449,19 @@ public function getPaymentAmount(): float
     /**
      * Sets the order's payment amount in the order's currency. This amount is not persisted.
      *
+     * This will remain null if set to zero or a negative number.
+     *
      * @throws CurrencyException
      * @throws InvalidConfigException
      */
     public function setPaymentAmount(float $amount): void
     {
         $paymentCurrency = Plugin::getInstance()->getPaymentCurrencies()->getPaymentCurrencyByIso($this->getPaymentCurrency());
         $amount = Currency::round($amount, $paymentCurrency);
-        $this->_paymentAmount = $amount;
+
+        if($amount >= 0) {
+            $this->_paymentAmount = $amount;
+        }
     }
 
     /**