47 matches found
CVE-2025-14078
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygentcheckwebhook function combined with the paygentpermissioncallback function unconditionally returning true ...
CVE-2026-0820
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wcuploadandsavesignaturehandler function in all versions up to, and including, 4.1116. This makes it possible for...
CVE-2025-14078
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygentcheckwebhook function combined with the paygentpermissioncallback function unconditionally returning true ...
CVE-2026-0820
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wcuploadandsavesignaturehandler function in all versions up to, and including, 4.1116. This makes it possible for...
CVE-2025-14880
The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handlereturnurl function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommer...
CVE-2025-15475
CVE-2025-15475 affects the PayHere Payment Gateway Plugin for WooCommerce (WordPress). The issue arises from improper validation in the check_payhere_response function, allowing unauthenticated attackers to modify data and change the status of pending WooCommerce orders to paid/completed/on hold ...
CVE-2019-18608
Cezerin v0.33.0 allows unauthorized order-information modification because certain internal attributes can be overwritten via a conflicting name when processing order requests. Hence, a malicious customer can manipulate an order e.g., its payment status or shipping fee by adding additional...
CVE-2025-14460
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the...
GHSA-G268-72P7-9J6J Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...
Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...
EUVD-2026-1421
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588 Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 4.10.2, 5.0.7, 5.1.9, and 5.2.5, an Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying ...
CVE-2026-22588
Summary (validated) : Spree (Ruby on Rails e-commerce) contains an authenticated IDOR vulnerability in which a user can retrieve other users’ address information by modifying an existing order. The flaw arises when an authenticated user manipulates address identifiers in the request during order ...
Spree API has Authenticated Insecure Direct Object Reference (IDOR) via Order Modification
Summary An Authenticated Insecure Direct Object Reference IDOR vulnerability was identified that allows an authenticated user to retrieve other users’ address information by modifying an existing order. By editing an order they legitimately own and manipulating address identifiers in the request,...
EUVD-2025-201528
The Helloprint plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.2. This is due to the plugin registering a public REST API endpoint without implementing authorization checks to verify request authenticity. This makes it possible for unauthenticated...
CVE-2025-9243
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the getccorders and updateorderstatus functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with...
CVE-2025-9243 Cost Calculator Builder <= 3.5.32 - Authenticated (Subscriber+) Missing Authorization via get_cc_orders/update_order_status Functions
The Cost Calculator Builder plugin for WordPress is vulnerable to unauthorizedmodification of data due to a missing capability check on the getccorders and updateorderstatus functions in all versions up to, and including, 3.5.32. This makes it possible for authenticated attackers, with...
CVE-2025-9243
CVE-2025-9243 affects the WordPress plugin Cost Calculator Builder. A missing capability check in get_cc_orders and update_order_status permits authenticated users with Subscriber-level access (or higher) to access order management and modify order statuses in all versions up to and including 3.5...
EUVD-2022-2838
Malicious code in bioql PyPI...