EUVD-2026-22853

The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the expresspayproductpagepayfororder function logging users in based solely on a user-supplied billing email address during guest checkout for...

Unauthenticated Spree Commerce users can access all guest addresses

Summary A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information PII includi...