CVE-2026-9822 WP Hotel Booking < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data...

EUVD-2026-36979

Unauthenticated Cross Site Scripting XSS in Coupon Affiliates = 7.5.3 versions...

CVE-2026-49068

Subscriber Sensitive Data Exposure in Coupon Affiliates = 7.8.1 versions...

CVE-2026-40770

Unauthenticated Cross Site Scripting XSS in Coupon Affiliates = 7.5.3 versions...

CVE-2026-49068 WordPress Coupon Affiliates plugin <= 7.8.1 - Sensitive Data Exposure vulnerability

Subscriber Sensitive Data Exposure in Coupon Affiliates = 7.8.1 versions...

CVE-2026-49068 WordPress Coupon Affiliates plugin <= 7.8.1 - Sensitive Data Exposure vulnerability

Subscriber Sensitive Data Exposure in Coupon Affiliates = 7.8.1 versions...

EUVD-2026-36875

Subscriber Sensitive Data Exposure in Coupon Affiliates = 7.8.1 versions...

CVE-2026-49068

The CVE concerns the WordPress Coupon Affiliates plugin (versions

CVE-2026-40770 WordPress Coupon Affiliates plugin <= 7.5.3 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Coupon Affiliates = 7.5.3 versions...

CVE-2026-40770

CVE-2026-40770 concerns the WordPress plugin Coupon Affiliates (versions

PT-2026-49414

Unauthenticated Cross Site Scripting XSS in Coupon Affiliates = 7.5.3 versions...

PT-2026-49505

Subscriber Sensitive Data Exposure in Coupon Affiliates = 7.8.1 versions...

WordPress WP eCommerce plugin <= 3.15.1 - Coupon Deletion via CSRF vulnerability

Coupon Deletion via CSRF vulnerability discovered by Bob Matyas in WordPress Plugin WP eCommerce versions = 3.15.1...

WordPress Coupon Affiliates plugin <= 7.8.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Stefano in WordPress Plugin Coupon Affiliates versions = 7.8.1...

CVE-2026-34358 CtrlPanel: Missing Authorization on Admin Write Endpoints Allows RBAC Bypass

CtrlPanel is open-source billing software for hosting providers. Versions 1.1.1 and prior contains a broken access control vulnerability where multiple admin controllers enforce permission checks on form display methods but omit equivalent checks on the corresponding write methods, allowing any...

WordPress Coupon Affiliates – Affiliate Plugin for WooCommerce plugin <= 5.17.2 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Coupon Affiliates versions = 5.17.2...

WordPress Coupon Affiliates plugin <= 7.5.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Coupon Affiliates versions = 7.5.3...

CVE-2026-39508

CVE-2026-39508 affects the WordPress plugin Advanced Coupons for WooCommerce Coupons (free) up to version 4.7.1.1. The issue is a DOM-based cross-site scripting (XSS) vulnerability caused by improper neutralization of input during web page generation, allowing injected scripts in the affected plu...

CVE-2026-31824

Sylius is an Open Source eCommerce Framework on Symfony. A Time-of-Check To Time-of-Use TOCTOU race condition was discovered in the promotion usage limit enforcement. The same class of vulnerability affects the promotion usage limit the global used counter on Promotion entities, coupon usage limi...

EUVD-2026-10920

Sylius has a Promotion Usage Limit Bypass via Race Condition...