41 matches found
CVE-2019-18608
Cezerin v0.33.0 allows unauthorized order-information modification because certain internal attributes can be overwritten via a conflicting name when processing order requests. Hence, a malicious customer can manipulate an order e.g., its payment status or shipping fee by adding additional...
CVE-2025-14460
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the...
GHSA-G268-72P7-9J6J Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...
Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...
EUVD-2026-1421
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588
Summary (validated) : Spree (Ruby on Rails e-commerce) contains an authenticated IDOR vulnerability in which a user can retrieve other users’ address information by modifying an existing order. The flaw arises when an authenticated user manipulates address identifiers in the request during order ...
Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...
EUVD-2025-201528
The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated...
CVE-2025-9243
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the getccorders and updateorderstatus functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with...
CVE-2025-9243 Cost Calculator Builder <= 3.5.32 - Authenticated (Subscriber+) Missing Authorization via get_cc_orders/update_order_status Functions
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the getccorders and updateorderstatus functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with...
CVE-2025-9243
CVE-2025-9243 affects the WordPress plugin Cost Calculator Builder. A missing capability check in get_cc_orders and update_order_status permits authenticated users with Subscriber-level access (or higher) to access order management and modify order statuses in all versions up to and including 3.5...
EUVD-2022-2838
Malicious code in bioql PyPI...
CVE-2024-8860
The CVE-2024-8860 case concerns the WordPress Tourfic plugin (versions up to and including 2.14.5). The vulnerability arises from missing capability checks in multiple functions (tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization in the indexonUpdateStatus function in Orders.php, which does not check for the permissions of the user before modifying an order. Remediation Upgrade tastyigniter/tastyigniter to version 4.0.0-beta.1 or higher...
PT-2025-1934 · WordPress · Shopping Cart & Ecommerce Store
Name of the Vulnerable Software and Affected Versions: The Shopping Cart & eCommerce Store plugin for WordPress versions up to, and including, 5.7.8 Description: The issue is related to a missing capability check on the webhook function, allowing unauthenticated attackers to modify order statuses...
PT-2024-15707 · WordPress · Duitku Payment Gateway
Name of the Vulnerable Software and Affected Versions: Duitku Payment Gateway plugin for WordPress versions up to, and including, 2.11.4 Description: The issue is related to a missing capability check on the check duitku response function, allowing unauthenticated attackers to modify data...
Cezerin Unauthorized Acces
Cezerin v0.33.0 allows unauthorized order-information modification because certain internal attributes can be overwritten via a conflicting name when processing order requests. Hence, a malicious customer can manipulate an order e.g., its payment status or shipping fee by adding additional...
GHSA-6PQ6-CRW9-522H Cezerin Unauthorized Acces
Cezerin v0.33.0 allows unauthorized order-information modification because certain internal attributes can be overwritten via a conflicting name when processing order requests. Hence, a malicious customer can manipulate an order e.g., its payment status or shipping fee by adding additional...