23 matches found
CVE-2025-15565
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed...
PT-2026-32918
The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed...
CVE-2026-3641 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any...
CVE-2026-3641 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any...
CVE-2026-1305
The CVE-2026-1305 entry concerns the WordPress plugin Japanized for WooCommerce (WooCommerce for Japan) with an authentication bypass vulnerability. The root cause is a flawed paidy_webhook_permission_check that unconditionally returns true when the webhook signature header is omitted, allowing u...
CVE-2026-0692
The CVE-2026-0692 entry concerns the BlueSnap Payment Gateway for WooCommerce WordPress plugin. Affected component: the plugin (up to version 3.3.0). Root cause: it validates IPN requests by relying on WooCommerce’s WC_Geolocation::get_ip_address(), which trusts user-controllable headers (e.g., X...
CVE-2025-14461
The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...
CVE-2025-15511 Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handlewebhook function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending...
PT-2026-3531
The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including,...
WordPress plugin PAYGENT for WooCommerce has security vulnerabilities
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...
CVE-2025-15475
The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the checkpayhereresponse function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to...
CVE-2025-15475
The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the checkpayhereresponse function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to...
CVE-2025-14886 Japanized for WooCommerce <= 2.7.17 - Missing Authorization to Unauthenticated Order Status Modification
The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the order REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order a...
CVE-2025-14460
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the...
WordPress Piraeus Bank WooCommerce Payment Gateway plugin <= 3.1.4 - Missing Authorization to Unauthenticated Arbitrary Order Status Change vulnerability
Missing Authorization to Unauthenticated Arbitrary Order Status Change vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Piraeus Bank WooCommerce Payment Gateway versions = 3.1.4...
CVE-2025-14460 Piraeus Bank WooCommerce Payment Gateway <= 3.1.4 - Missing Authorization to Unauthenticated Arbitrary Order Status Change
The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the...
EUVD-2023-33696
Malicious code in bioql PyPI...
CVE-2023-3202
The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstoreupdatefirebaseserverkey function. This makes it possible for unauthenticated attackers to update the firebase server key to push notification when order status changed via ...
CVE-2023-48926
An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status...
Shopware Access Control Error Vulnerability
Shopware is a suite of open source e-commerce software from the German company Shopware. An access control error vulnerability exists in Shopware versions 6.5.7.3 and earlier, which stems from the presence of an access control error vulnerability that allows a user who lacks order write privilege...