Lucene search
K

23 matches found

ATTACKERKB
ATTACKERKB
added 2026/04/14 9:26 p.m.3 views

CVE-2025-15565

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed...

5.3CVSS5.8AI score0.00189EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/14 12:0 a.m.9 views

PT-2026-32918

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed...

5.3CVSS5.8AI score0.00189EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.7 views

CVE-2026-3641 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint

The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any...

5.3CVSS5.9AI score0.003EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/03/21 3:26 a.m.32 views

CVE-2026-3641 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint

The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any...

5.3CVSS0.003EPSS
Exploits0References9
CVE
CVE
added 2026/02/27 9:23 a.m.16 views

CVE-2026-1305

The CVE-2026-1305 entry concerns the WordPress plugin Japanized for WooCommerce (WooCommerce for Japan) with an authentication bypass vulnerability. The root cause is a flawed paidy_webhook_permission_check that unconditionally returns true when the webhook signature header is omitted, allowing u...

5.3CVSS6AI score0.00407EPSS
Exploits0References6
CVE
CVE
added 2026/02/14 4:35 a.m.16 views

CVE-2026-0692

The CVE-2026-0692 entry concerns the BlueSnap Payment Gateway for WooCommerce WordPress plugin. Affected component: the plugin (up to version 3.3.0). Root cause: it validates IPN requests by relying on WooCommerce’s WC_Geolocation::get_ip_address(), which trusts user-controllable headers (e.g., X...

7.5CVSS5.9AI score0.00281EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/02/05 1:22 p.m.8 views

CVE-2025-14461

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

5.3CVSS5.3AI score0.00345EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/01/28 11:23 a.m.28 views

CVE-2025-15511 Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification

The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handlewebhook function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending...

5.3CVSS0.00205EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/01/20 12:0 a.m.4 views

PT-2026-3531

The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including,...

5.3CVSS5.7AI score0.00219EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/01/17 12:0 a.m.7 views

WordPress plugin PAYGENT for WooCommerce has security vulnerabilities

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

5.3CVSS5.8AI score0.00261EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 2026/01/15 7:23 a.m.14 views

CVE-2025-15475

The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the checkpayhereresponse function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to...

5.3CVSS6AI score0.00225EPSS
Exploits0References1
NVD
NVD
added 2026/01/14 7:16 a.m.5 views

CVE-2025-15475

The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the checkpayhereresponse function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to...

5.3CVSS0.00225EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/09 4:31 a.m.27 views

CVE-2025-14886 Japanized for WooCommerce <= 2.7.17 - Missing Authorization to Unauthenticated Order Status Modification

The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the order REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order a...

5.3CVSS0.00236EPSS
Exploits0References2
NVD
NVD
added 2026/01/07 12:16 p.m.6 views

CVE-2025-14460

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the...

5.3CVSS0.0036EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/01/07 11:20 a.m.11 views

WordPress Piraeus Bank WooCommerce Payment Gateway plugin <= 3.1.4 - Missing Authorization to Unauthenticated Arbitrary Order Status Change vulnerability

Missing Authorization to Unauthenticated Arbitrary Order Status Change vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Piraeus Bank WooCommerce Payment Gateway versions = 3.1.4...

5.3CVSS6.8AI score0.0036EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/01/07 9:21 a.m.25 views

CVE-2025-14460 Piraeus Bank WooCommerce Payment Gateway <= 3.1.4 - Missing Authorization to Unauthenticated Arbitrary Order Status Change

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the...

5.3CVSS0.0036EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2023-33696

Malicious code in bioql PyPI...

6.5CVSS7.2AI score0.00337EPSS
Exploits2References1
RedhatCVE
RedhatCVE
added 2025/05/23 2:30 a.m.3 views

CVE-2023-3202

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatefirebaseserverkey function. This makes it possible for unauthenticated attackers to update the firebase server key to push notification when order status changed via ...

4.3CVSS5.8AI score0.00296EPSS
Exploits0References1
OSV
OSV
added 2024/01/16 9:15 p.m.5 views

CVE-2023-48926

An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status...

5.3CVSS5.8AI score0.00346EPSS
Exploits0References1
CNNVD
CNNVD
added 2024/01/16 12:0 a.m.3 views

Shopware Access Control Error Vulnerability

Shopware is a suite of open source e-commerce software from the German company Shopware. An access control error vulnerability exists in Shopware versions 6.5.7.3 and earlier, which stems from the presence of an access control error vulnerability that allows a user who lacks order write privilege...

6.5CVSS6.7AI score0.004EPSS
Exploits0References3
Rows per page
Query Builder