275 matches found
WordPress Gerencianet Oficial <= 3.1.3 - Unauthenticated Order Status Disclosure
Efí Bank Gerencianet Oficial = 3.1.3 contains an insertion of sensitive information into sent data vulnerability caused by improper handling of embedded sensitive data, letting attackers retrieve embedded sensitive data, exploit requires crafted requests. id: CVE-2025-59136 info: name: WordPress...
WordPress Nexi XPay plugin <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification vulnerability
Missing Authorization to Unauthenticated Order Status Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Nexi XPay versions = 8.3.0...
CVE-2025-15565
The Nexi XPay plugin for WordPress (all versions up to and including 8.3.0) is vulnerable to unauthorized data modification due to missing authorization checks on the redirect function. This allows unauthenticated attackers to mark pending WooCommerce orders as paid or completed. CVSS 3.1 base sc...
CVE-2025-15565 Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed...
CVE-2025-15565
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed...
CVE-2025-15565 Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed...
PT-2026-32918
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed...
CVE-2026-29173
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...
CVE-2026-3641 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any...
CVE-2026-3641 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any...
CVE-2026-29173
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...
CVE-2026-29173 Craft Commerce has Stored XSS while updating Order Status from Orders Table
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...
CVE-2026-29173 Craft Commerce has Stored XSS while updating Order Status from Orders Table
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...
CVE-2026-29173
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...
CVE-2026-29173 Craft Commerce has Stored XSS while updating Order Status from Orders Table
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...
EUVD-2026-10815
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...
CVE-2026-29173
Craft Commerce (for Craft CMS) has a stored XSS vulnerability that affects the Order Status name field when updating the status from the Commerce Orders Table. The issue occurs prior to versions 4.10.2 and 5.5.3, where the Status Name is rendered without proper escaping, enabling script execution...
EUVD-2026-10814
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table...
GHSA-MQXF-2998-C6CP Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
Summary A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. --- Proof of Concept Required Permissions - Admin access to edit/create Order...
Craft Commerce is Vulnerable to Stored XSS while updating Order Status from Orders Table
Summary A stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. --- Proof of Concept Required Permissions - Admin access to edit/create Order...