EUVD-2026-33406

Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables...

GHSA-FXQW-97CC-7G5C Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables

Impact The admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could: - Disable every...

Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables

Impact The admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action permission. A low-privilege user could: - Disable every...

CVE-2026-47745

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action...

CVE-2026-47745

CVE-2026-47745 affects Shopper: Headless e-commerce Admin Panel. Before 2.8.0, admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable/disable/edit/delete) without per-action permission checks, allowing a low-privilege authenticated user to d...

CVE-2026-47745

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action...

CVE-2026-47745 Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action...

shopper 安全漏洞

Shopper is an open-source e-commerce management backend developed by Shopper Labs. Versions of Shopper prior to 2.8.0 contained security vulnerabilities. These vulnerabilities stemmed from the management tables for PaymentMethods, Currencies, and Carriers rendering inline switching options and...

PT-2026-44945

Name of the Vulnerable Software and Affected Versions Shopper versions prior to 2.8.0 Description In the admin tables for PaymentMethods, Currencies, and Carriers, inline toggles and per-record actions such as enable, disable, edit, and delete are rendered for any authenticated panel user without...

WordPress Disable Payment Methods based on cart conditions for WooCommerce plugin <= 1.16.3 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WooCommerce Disable Payment Methods based on cart conditions versions = 1.16.3...

Wallos 跨站脚本漏洞

Wallos is an open-source personal subscription tracker developed by Miguel Ribeiro. Versions of Wallos prior to 4.7.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from a storage-based cross-site scripting in the endpoint for payment methods. It could allow any...

Zulip 安全漏洞

Zulip is a powerful open-source chat application developed by the US company Zulip Corporation. It combines the immediacy of real-time conversations with the productivity benefits of threaded dialogue. Zulip has a security vulnerability, which stems from the lack of specific authorization checks...

One million customers on alert as extortion group claims massive Brightspeed data haul

US fiber broadband company Brightspeed is investigating claims by the Crimson Collective extortion group that it stole sensitive data belonging to more than 1 million residential customers, including extensive personally identifiable information PII, as well as account and billing details...

CVE-2025-13526

The CVE concerns the WordPress plugin OneClick Chat to Order . All versions up to and including 1.0.8 are vulnerable to an Insecure Direct Object Reference via the function wa_order_thank_you_override due to missing validation on a user-controlled key. This allows unauthenticated attackers to vie...

CVE-2025-12639

The wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access sensitive information via the AJAX...

WordPress Payments Braintree For WooCommerce plugin authorization bypass vulnerability

WordPress Payments Braintree For WooCommerce plugin is a payment plugin designed specifically for WordPress websites, which supports payments done through both PayPal and credit cards. The WordPress Payments Braintree For WooCommerce plugin suffers from an authorization bypass vulnerability that...

EUVD-2022-51882

Malicious code in bioql PyPI...

EUVD-2022-1374

Malicious code in bioql PyPI...

Malicious code in payment-methods-component (npm)

The package payment-methods-component was found to contain malicious code...

MAL-2025-28943 Malicious code in payment-methods-component (npm)

The package payment-methods-component was found to contain malicious code...