CVE-2026-0679

Fortis for WooCommerce (WordPress) is affected by an authorization bypass up to and including version 1.2.0 due to an inverted nonce check in check_fortis_notify_response, enabling unauthenticated attackers to change arbitrary WooCommerce order statuses (paid/processing/completed) via the wc-api ...

CVE-2025-14461

The CVE describes unauthenticated order-status manipulation in the Xendit Payment plugin for WordPress (WooCommerce integration). Versions up to and including 6.0.2 expose a publicly accessible API callback endpoint (wc_xendit_callback) that processes payment callbacks without authenticating orig...

CVE-2025-14461 Xendit Payment <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

WordPress Xendit Payment plugin <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid vulnerability

Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Xendit Payment versions = 6.0.2...

Syltek application 数据伪造问题漏洞

Syltek application is an application. A security vulnerability previously existed in the Syltek application version 10.22.00 that allowed an attacker to spoof a request and bypass the payment system by marking the item as paid without any authentication...