Remove order data from failed email check on payment

lukeholder · lukeholder · commit 48a5d9464199 · 2026-03-11T14:34:03.000+08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## Unreleased
 
 - Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SQL injection vulnerability in the control panel. (GHSA-875v-7m49-8x88)
+- Fixed a [low-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) Information disclosure vulnerability in payment controller action. (GHSA-3vxg-x5f8-f5qf)
 
 ## 4.10.2 - 2026-02-09
 
diff --git a/src/controllers/PaymentsController.php b/src/controllers/PaymentsController.php
@@ -141,9 +141,7 @@ public function actionPay(): ?Response
 
         if (!$order->getIsActiveCart() && !$checkPaymentCanBeMade) {
             $error = Craft::t('commerce', 'Email required to make payments on a completed order.');
-            return $this->asFailure($error, data: [
-                $this->_cartVariableName => $this->cartArray($order),
-            ]);
+            return $this->asFailure($error);
         }
 
         if ($plugin->getSettings()->requireShippingAddressAtCheckout && !$order->shippingAddressId) {

Original file line number	Diff line number	Diff line change
`@@ -141,9 +141,7 @@ public function actionPay(): ?Response`
`141`	`141`
`142`	`142`	`if (!$order->getIsActiveCart() && !$checkPaymentCanBeMade) {`
`143`	`143`	`$error = Craft::t('commerce', 'Email required to make payments on a completed order.');`
`144`		`- return $this->asFailure($error, data: [`
`145`		`- $this->_cartVariableName => $this->cartArray($order),`
`146`		`- ]);`
	`144`	`+ return $this->asFailure($error);`
`147`	`145`	`}`
`148`	`146`
`149`	`147`	`if ($plugin->getSettings()->requireShippingAddressAtCheckout && !$order->shippingAddressId) {`