Hi,
Was doing some testing to see if I could replicate an order issue and came across an exploit.

1. Place an order via PayPal & complete it with success URL.
2. Copy the success URL at receipt screen ie domain.com /shop/checkout/ctl/ThirdPartyPayment/mid/1778?token=EC-1W3254626J198490T&PayerID=G64GE4KVV3SHG
3. add products to cart and place another order via paypal.
4. At paypal payment screen, paste the previous successful URL
5. Order is placed. Skipping payment.
6. check back office to see a new order has been placed. order emails sent.

Can confirm its with 3.5.0 only, seems the older version displays a different URL when receiving success / receipt after payment domain.com /Shop/Checkout/action/receipt/id/a1e3a629-c7fa-4596-8ada-0d35f49dfca8

I have default view sets templates applied.

Please look into this as soon as possible as I'm yet to know how to solve it.