277 matches found
WooCommerce Anti-Fraud <= 3.2 - Unauthenticated Order Status Manipulation
The WooCommerce Anti-Fraud WordPress plugin was affected by an issue where an unauthenticated user could change the order status of any order, as there were no checks when changing the order status. The orderid was also predictable. On an individual level, if you have already received your order,...
Information Exposure
Overview spreeapi is a Spree Api module Affected versions of this package are vulnerable to Information Exposure. An attacker can query the API v2 Order Status endpoint with an empty string passed as an Order token. Remediation Upgrade spreeapi to version 3.7.13, 4.0.5, 4.1.12 or higher. Referenc...
Authorization bypass in Spree
Impact The perpetrator could query the API v2 Order Status https://guides.spreecommerce.org/api/v2/storefronttag/Order-Status endpoint with an empty string passed as an Order token Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version. Users of Spree 3.7 are not...
WordPress WooCommerce CardGate Payment Gateway 3.1.15 Plugin - Payment Process Bypass Exploit
Exploit for php platform in category web applications Exploit Title: WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass Exploit Author: GeekHack Vendor Homepage: https://www.cardgate.com www.curopayments.com Software Link:...
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass Exploit
Exploit for php platform in category web applications Exploit Title: Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass Exploit Author: GeekHack Vendor Homepage: https://www.cardgate.com www.curopayments.com Software Link:...
Authentication flaw
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings merchant ID, secret key, etc. and therefore bypass...
WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass
WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass Exploit Title: WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass Discovery Date: 2020-02-02 Public Disclosure Date: 2020-02-22 Exploit Author: GeekHack Vendor Homepage:...
WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass
Exploit Title: WordPress Plugin WooCommerce CardGate Payment Gateway 3.1.15 - Payment Process Bypass Discovery Date: 2020-02-02 Public Disclosure Date: 2020-02-22 Exploit Author: GeekHack Vendor Homepage: https://www.cardgate.com www.curopayments.com Software Link:...
CardGate < 3.1.16 - Unauthorised Payments Hijacking and Order Status Spoofing
Lack of origin authentication CWE-346 at IPN callback processing function allow even unauthorized attacker to remotely replace critical plugin settings merchant id, secret key etc with known to him and therefore bypass payment process eg. spoof order status by manually sending IPN callback reques...
CardGate < 3.1.16 - Unauthorised Payments Hijacking and Order Status Spoofing
Lack of origin authentication CWE-346 at IPN callback processing function allow even unauthorized attacker to remotely replace critical plugin settings merchant id, secret key etc with known to him and therefore bypass payment process eg. spoof order status by manually sending IPN callback reques...
Unauthorized Form Data Modification
cezerin is vulnerable to unauthorized form data modification. Internal attributes such as paid and tax in the getValidDocumentForUpdate function in api/server/services/orders/orders.js can be overwritten using a conflicting name from user-input. This allows a malicious user to manipulate an order...
Automattic: Gaining unlimited bonus points on websites with WooCommerce Points and Rewards
In WooCommerce Points and Rewards plugin there is an assumption that Processing order status is only for paid orders. However, this assumption is wrong for payment gateway Cash On Delivery, which immediately changes order status to Processing on all new orders. Plugin then increases bonus points...
WordPress WooCommerce GloBee Payment Gateway 1.1.1 Bypass / Spoofing
?php Exploit Title: WordPress WooCommerce - GloBee cryptocurrency Payment Gateway Plugin Payment Bypass / Unauthorized Order Status Spoofing Discovery Date: 14.12.2018 Public Disclosure Date: 14.02.2019 Exploit Author: GeekHack Contact: https://t.me/GeekHack Vendor Homepage: https://globee.com/...
WordPress Plugin WooCommerce - GloBee (cryptocurrency) Payment Gateway 1.1.1 - Payment Bypass Unauthorized Order Status Spoofing
WordPress Plugin WooCommerce - GloBee cryptocurrency Payment Gateway 1.1.1 - Payment Bypass Unauthorized Order Status Spoofing ?php Exploit Title: WordPress WooCommerce - GloBee cryptocurrency Payment Gateway Plugin Payment Bypass / Unauthorized Order Status Spoofing Discovery Date: 14.12.2018...
Commerce Custom Order Status - Moderately critical - Cross Site Scripting - SA-CONTRIB-2018-046
Commerce Custom Order Status provides forms for administrators to add, edit, and delete order statuses from the order settings screen. The module doesn't sufficiently sanitize the output of the status names. This vulnerability is mitigated by the fact that an attacker must have a role with the...
modified eCommerce SQL Injection Vulnerability
modified eCommerce is an open source store software. Modified eCommerce suffers from a SQL injection vulnerability due to the easybillcsv.php file failing to adequately filter the 'ordersstatus' and 'customersstatus ' GET parameters, allowing remote attackers to submit specially crafted SQL queri...
SA-CONTRIB-2010-062 - Ogone | Ubercart payment - Access Bypass
Ogone | Ubercart payment is a payment module for Ubercart that integrates Ogone PSP gateway as a checkout method for Ubercart. The module does not always correctly verify the order status returned by the Ogone gateway, potentially allowing unpaid orders to be processed. Versions affected Ogone |...