3 matches found
CVE-2026-11855
The CVE concerns the Simple Membership WordPress plugin (pre-4.7.5). It fails to verify Stripe webhook authenticity when no signing secret is configured and fails to escape a value from the webhook before displaying it in an administrator notice, enabling unauthenticated attackers to inject arbit...
CVE-2025-53392
CVE-2025-53392 : In pfSense CE 2.8.0, the WebCfg - Diagnostics: Command privilege allows an authenticated user to download/read arbitrary files via a directory traversal in diag_command.php (dlPath). This is a local file-disclosure vulnerability, with evidence of PoC/exploit activity (e.g., publi...
Shopify: Accessing Payments page and adding payment methods with limited access accounts
Users with the Orders permission were allowed to see the store's payment gateway information. This page should have been restricted to users with the Settings permission only. Using this vulnerability a User with limited access/ No access to Settings could add/alter/change Payment settings while...