CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

CVE-2026-34394

WWBN AVideo (versions 26.0 and prior) is affected by a CSRF vulnerability in the admin/plugin configuration endpoint (admin/save.json.php). The endpoint processes requests without CSRF token validation (no isGlobalTokenValid/verifyToken check), and the app uses SameSite=None cookies, enabling cro...

CVE-2025-12979

The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uscesexport' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials ex...

CVE-2025-12979

The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uscesexport' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials ex...

CVE-2025-12979 Welcart e-Commerce <= 2.11.24 - Missing Authorization to Unauthenticated Information Exposure

The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uscesexport' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials ex...

EUVD-2025-150409

The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uscesexport' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials ex...

CVE-2025-12979 Welcart e-Commerce <= 2.11.24 - Missing Authorization to Unauthenticated Information Exposure

The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uscesexport' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials ex...

CVE-2025-12979

CVE-2025-12979 describes an unauthorized data exposure vulnerability in the WordPress plug‑in Welcart e-Commerce . A missing capability check on the usces_export action affects all versions up to and including 2.11.24 , allowing unauthenticated attackers to access sensitive data such as configure...

WordPress plugin Welcart e-Commerce 安全漏洞

WordPress Welcart e-Commerce Plugin is an e-commerce plugin designed for WordPress to build and manage online stores. WordPress Welcart e-Commerce Plugin suffers from an unauthorized access vulnerability that stems from a lack of capability checking in the uscesexport operation, which can be...

PT-2025-46782

Name of the Vulnerable Software and Affected Versions Welcart e-Commerce plugin for WordPress versions prior to 2.11.25 Description The Welcart e-Commerce plugin for WordPress has a flaw that allows unauthorized access to data. This is due to a missing capability check on the usces export action...

Chinese PostalFurious Gang Strikes UAE Users with Sneaky SMS Phishing Scheme

A Chinese-speaking phishing gang dubbed PostalFurious has been linked to a new SMS campaign that's targeting users in the U.A.E. by masquerading as postal services and toll operators, per Group-IB. The fraudulent scheme entails sending users bogus text messages asking them to pay a vehicle trip f...