Lucene search
K

277 matches found

OSV
OSV
added 2026/03/10 6:23 p.m.4 views

GHSA-MQXF-2998-C6CP Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table

Summary A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. --- Proof of Concept Required Permissions - Admin access to edit/create Order...

4.8CVSS5.9AI score0.00318EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2026/03/10 6:23 p.m.8 views

Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table

Summary A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. --- Proof of Concept Required Permissions - Admin access to edit/create Order...

4.8CVSS5.9AI score0.00318EPSS
Exploits1References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.6 views

PT-2026-24630

Summary A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. --- Proof of Concept Required Permissions - Admin access to edit/create Order...

5.9AI score
Exploits0References5
CNNVD
CNNVD
added 2026/03/10 12:0 a.m.7 views

Craft Commerce 跨站脚本漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions prior to 4.10.2 and 5.5.3 of Craft Commerce contained a cross-site scripting vulnerability. This vulnerability stemmed from improper escaping of order status names during rendering, which could...

4.8CVSS5.7AI score0.00318EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.3 views

PT-2026-24415

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...

4.8CVSS5.9AI score0.00318EPSS
Exploits1References4
CVE
CVE
added 2026/02/27 9:23 a.m.18 views

CVE-2026-1305

The CVE-2026-1305 entry concerns the WordPress plugin Japanized for WooCommerce (WooCommerce for Japan) with an authentication bypass vulnerability. The root cause is a flawed paidy_webhook_permission_check that unconditionally returns true when the webhook signature header is omitted, allowing u...

5.3CVSS6AI score0.00407EPSS
Exploits0References6
Patchstack
Patchstack
added 2026/02/16 7:45 a.m.11 views

WordPress BlueSnap Payment Gateway for WooCommerce plugin <= 3.3.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation vulnerability

Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin BlueSnap Payment Gateway for WooCommerce versions = 3.3.0...

7.5CVSS5.5AI score0.00281EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/02/14 5:16 a.m.11 views

CVE-2026-0692

The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's WCGeolocation::getipaddress function to validate IPN requests, which trusts user-controllable...

7.5CVSS0.00281EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/14 4:35 a.m.33 views

CVE-2026-0692 BlueSnap Payment Gateway for WooCommerce <= 3.4.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation

The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's WCGeolocation::getipaddress function to validate IPN requests, which trusts user-controllable...

7.5CVSS0.00281EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/02/14 4:35 a.m.4 views

CVE-2026-0692 BlueSnap Payment Gateway for WooCommerce <= 3.4.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation

The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's WCGeolocation::getipaddress function to validate IPN requests, which trusts user-controllable...

7.5CVSS5.8AI score0.00281EPSS
Exploits0References3
CVE
CVE
added 2026/02/14 4:35 a.m.16 views

CVE-2026-0692

The CVE-2026-0692 entry concerns the BlueSnap Payment Gateway for WooCommerce WordPress plugin. Affected component: the plugin (up to version 3.3.0). Root cause: it validates IPN requests by relying on WooCommerce’s WC_Geolocation::get_ip_address(), which trusts user-controllable headers (e.g., X...

7.5CVSS5.9AI score0.00281EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/02/05 1:22 p.m.8 views

CVE-2025-14461

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

5.3CVSS5.3AI score0.00345EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/02/05 1:22 p.m.5 views

CVE-2026-0679

The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'checkfortisnotifyresponse' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order...

5.3CVSS5.5AI score0.00345EPSS
Exploits0References1
NVD
NVD
added 2026/02/04 9:15 a.m.10 views

CVE-2026-0679

The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'checkfortisnotifyresponse' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order...

5.3CVSS0.00345EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/02/04 8:25 a.m.3 views

CVE-2026-0679 Fortis for WooCommerce <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint

The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'checkfortisnotifyresponse' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order...

5.3CVSS5.5AI score0.00345EPSS
Exploits0References4
EUVD
EUVD
added 2026/02/04 8:25 a.m.8 views

EUVD-2026-5411

The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'checkfortisnotifyresponse' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order...

5.3CVSS5.5AI score0.00345EPSS
Exploits0References3
CVE
CVE
added 2026/02/04 8:25 a.m.33 views

CVE-2026-0679

Fortis for WooCommerce (WordPress) is affected by an authorization bypass up to and including version 1.2.0 due to an inverted nonce check in check_fortis_notify_response, enabling unauthenticated attackers to change arbitrary WooCommerce order statuses (paid/processing/completed) via the wc-api ...

5.3CVSS5.5AI score0.00345EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/02/04 8:25 a.m.3 views

CVE-2025-14461

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

5.3CVSS5.3AI score0.00345EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/02/04 8:25 a.m.4 views

CVE-2025-14461 Xendit Payment <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

5.3CVSS5.3AI score0.00345EPSS
Exploits0References4
CVE
CVE
added 2026/02/04 8:25 a.m.19 views

CVE-2025-14461

The CVE describes unauthenticated order-status manipulation in the Xendit Payment plugin for WordPress (WooCommerce integration). Versions up to and including 6.0.2 expose a publicly accessible API callback endpoint (wc_xendit_callback) that processes payment callbacks without authenticating orig...

5.3CVSS5.3AI score0.00345EPSS
Exploits0References4
Rows per page
Query Builder