28 matches found
CVE-2026-32270
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON...
GHSA-7VVP-J573-5584 Shopware: Unauthenticated data extraction possible through store-api.order endpoint
Summary An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. Details Data Exposure Depending on the order payload configuration, attackers may retrieve: -...
CVE-2025-13679 Tutor LMS <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getorderbyid function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with...
EUVD-2021-0241
Malware in sbrugna...
EUVD-2024-53087
Malicious code in bioql PyPI...
EUVD-2025-9070
Malicious code in bioql PyPI...
WordPress plugin Multiple Shipping And Billing Address For Woocommerce 代码问题漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A code issue vulnerability exists in WordPress...
CVE-2025-26875 WordPress Multiple Shipping And Billing Address For Woocommerce Plugin <= 1.3 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing...
WordPress plugin Multiple Shipping And Billing Address For Woocommerce SQL注入漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A SQL injection vulnerability exists in...
CVE-2024-56290
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing...
CVE-2024-56290 WordPress Multiple Shipping And Billing Address For Woocommerce Plugin <= 1.2 - Unauthenticated SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce different-shipping-and-billing-address-for-woocommerce allows SQL Injection.This issue affects Multiple Shipping And Billing...
WordPress plugin Multiple Shipping And Billing Address For Woocommerce SQL注入漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A SQL injection vulnerability exists in...
WordPress Multiple Shipping And Billing Address For Woocommerce Plugin <= 1.2 - Unauthenticated SQL Injection vulnerability
Unauthenticated SQL Injection vulnerability discovered by LVT-tholv2k Patchstack Alliance in WordPress Plugin Multiple Shipping And Billing Address For Woocommerce versions = 1.2...
GHSA-663J-RJCR-789F CSV injection in shuup
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and...
CSV injection in shuup
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and...
CVE-2021-25962
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and...
Design/Logic Flaw
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and...
PYSEC-2021-355
“Shuup” application in versions 0.4.2 to 2.10.8 is affected by the “Formula Injection” vulnerability. A customer can inject payloads in the name input field in the billing address while buying a product. When a store administrator accesses the reports page to export the data as an Excel file and...
Cross-site Scripting (XSS) - Stored in bytefury/crater
✍️ Description Stored xss using customer billing address 🕵️♂️ Proof of Concept 1. First goto demo app https://demo.craterapp.com/admin/customers/create and create a customer . During creation put bellow xss payload in billing address field and save it . Now see xss is executed payload -- xss"'...
Magento Marketplace Suffers Data Breach Exposing Users' Account Info
If you have ever registered an account with the official Magento marketplace to bought or sold any extension, plugin, or e-commerce website theme, you must change your password immediately. Adobe—the company owning Magento e-commerce platform—today disclosed a new data breach incident that expose...