CVE-2026-9612

The CVE-2026-9612 entry concerns the WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress. Affects versions up to 1.0.1 and is caused by the yapacdev_generate_order_pdf function, which exposes sensitive customer PII and order details. Attack flow: an unauthenticated user can enumera...

EUVD-2026-37996

The 2Download Connector for 2DL Hosted Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 0.1.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

EUVD-2026-20105

The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permissioncallback' set to 'returntrue', meaning no...

CVE-2025-14294 Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials permission callback always returning true,...

CVE-2025-14460

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the...

CVE-2025-14085

The CVE-2025-14085 entry concerns youlaitech youlai-mall versions 1.0.0–2.0.0. The vulnerability resides in an unknown function under the /app-api/v1/orders/ endpoint, where manipulating the orderId parameter leads to improper control of dynamically-identified variables. This enables remote explo...

CVE-2024-8860

The CVE-2024-8860 case concerns the WordPress Tourfic plugin (versions up to and including 2.14.5). The vulnerability arises from missing capability checks in multiple functions (tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order...

PT-2025-34507 · WordPress · Simpler Checkout

Name of the Vulnerable Software and Affected Versions: Simpler Checkout versions 0.7.0 through 1.1.9 Description: The Simpler Checkout plugin for WordPress is susceptible to authentication bypass. The plugin does not properly verify a user’s identity before granting access as an administrator...

OroCommerce Access Control Error Vulnerability

OroCommerce is an open source business-to-business commerce application from Oro. An access control error vulnerability exists in OroCommerce that stems from allowing Order IDs to receive detailed order total information. Affected product versions: OroCommerce versions 4.2.0 through 4.2.10, 5.0.0...

Cross-site Scripting (XSS)

Overview shopxo/shopxo is an e-commerce system. Affected versions of this package are vulnerable to Cross-site Scripting XSS by using the index.php?s=order&ids="alert1; payload. Details Cross-site scripting or XSS is a code vulnerability that occurs when an attacker “injects” a malicious script...