CVE-2025-15473 Timetics < 1.0.52 - Unauthenticated Payment/Booking Status Update

The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type...

WordPress Zarinpal Gateway for WooCommerce plugin <= 5.0.16 - Improper Access Control to Payment Status Update vulnerability

Improper Access Control to Payment Status Update vulnerability discovered by shark3y in WordPress Plugin Zarinpal Gateway versions = 5.0.16...

CVE-2026-2592

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'ReturnfromZarinPalGateway' failing to validate that the authority token provided in...

CVE-2026-2592

The CVE concerns the Zarinpal Gateway for WooCommerce plugin for WordPress, affecting all versions up to 5.0.16. The issue is Improper Access Control to Payment Status Update caused by the payment callback handler (Return_from_ZarinPal_Gateway) not validating that the authority token in the callb...

CVE-2026-2592

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'ReturnfromZarinPalGateway' failing to validate that the authority token provided in...

CVE-2026-2592 Zarinpal Gateway for WooCommerce <= 5.0.16 - Improper Access Control to Payment Status Update

The Zarinpal Gateway for WooCommerce plugin for WordPress is vulnerable to Improper Access Control to Payment Status Update in all versions up to and including 5.0.16. This is due to the payment callback handler 'ReturnfromZarinPalGateway' failing to validate that the authority token provided in...

CVE-2025-1766

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'paymentcomplete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated...

CVE-2025-11564 Tutor LMS – eLearning and online course solution <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it...

PT-2025-34188

Name of the Vulnerable Software and Affected Versions: GiveWP – Donation Plugin and Fundraising Platform versions prior to 4.5.1 Description: The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is susceptible to unauthorized data modification. This is due to the absence of ...

CVE-2025-1766 Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'paymentcomplete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated...

WordPress Eventin plugin <= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update vulnerability

Missing Authorization to Unauthenticated Payment Status Update vulnerability discovered by wesley wcraft in WordPress Plugin Eventin versions = 4.0.24...

CVE-2024-1718 Claudio Sanches – Checkout Cielo for WooCommerce <= 1.1.0 - Insufficient Verification of Data Authenticity to Order Payment Status Update

The Claudio Sanches – Checkout Cielo for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient payment validation in the updateorderstatus function in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers t...

PT-2024-17941 · WordPress · Eventprime – Events Calendar

Name of the Vulnerable Software and Affected Versions: The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress versions up to, and including, 3.4.2 Description: The issue allows unauthenticated users to update the status of order payments, making it possible for attackers to...

CVE-2022-0421 Five Star Restaurant Reservations < 2.4.12 - Unauthenticated Arbitrary Payment Status Update to Stored XSS

The Five Star Restaurant Reservations WordPress plugin before 2.4.12 does not have authorisation when changing whether a payment was successful or failed, allowing unauthenticated users to change the payment status of arbitrary bookings. Furthermore, due to the lack of sanitisation and escaping,...