Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the referencia field in the product creation process. An attacker can execute arbitrary JavaScript in the browser of another authenticated user by injecting a crafted value into the referencia field, which i...

CVE-2026-3641 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint

The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any...

CVE-2026-3641 Appmax <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint

The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any...

CVE-2025-14366

The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing authorization checks on the SubmitCatProductRequest AJAX action. This makes it possible for unauthenticated attackers to create arbitrary...

CVE-2025-14366 Eyewear prescription form <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation

The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing authorization checks on the SubmitCatProductRequest AJAX action. This makes it possible for unauthenticated attackers to create arbitrary...

CVE-2025-14366

CVE-2025-14366 concerns the WordPress plugin Eyewear prescription form. The WordPress plugin is reported to have missing authorization on the SubmitCatProductRequest AJAX action, affecting all versions up to and including 6.0.1. The vulnerability enables unauthenticated attackers to create arbitr...

WordPress Eyewear prescription form plugin <= 6.0.1 - Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation vulnerability

Missing Authorization to Unauthenticated Arbitrary WooCommerce Product Creation vulnerability discovered by WordFence in WordPress Plugin Eyewear prescription form versions = 6.0.1...

Server-Side Template Injection (SSTI)

bagisto/bagisto is vulnerable to Server-Side Template Injection SSTI. The vulnerability is due to unsanitized user input being rendered by the server-side templating engine, which allows an attacker with product-creation privileges to inject arbitrary template expressions that can lead to remote...

CVE-2025-12676

The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attacke...

CVE-2025-12676 KiotViet Sync <= 1.8.5 - Use of Hard-coded Password to Authorization Bypass

The KiotViet Sync plugin for WordPress is vulnerable to authorizarion bypass in all versions up to, and including, 1.8.5. This is due to the plugin using a hardcoded password for authentication in the QueryControllerAdmin::authenticated function. This makes it possible for unauthenticated attacke...

WordPress plugin KiotViet Sync 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blogging sites on PHP and MySQL based servers.WordPress plugin is an application plugin... A security...

PT-2025-45094

Name of the Vulnerable Software and Affected Versions KiotViet Sync plugin for WordPress versions up to and including 1.8.5 Description The KiotViet Sync plugin for WordPress is susceptible to authorization bypass. This is caused by the use of a hardcoded password for authentication within the...

CVE-2025-10317

Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker. This software does not...

CVE-2025-10317

Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker. This software does not...

EUVD-2025-36999

Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker. This software does not...

CVE-2025-10317 Multiple Cross-Site Request Forgery in Quick.Cart

Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker. This software does not...

CVE-2025-10317 Multiple Cross-Site Request Forgery in Quick.Cart

Quick.Cart is vulnerable to Cross-Site Request Forgery in product creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious product with content defined by the attacker. This software does not...

PT-2025-44399

Name of the Vulnerable Software and Affected Versions Quick.Cart version 6.7 Quick.Cart affected versions not specified Description Quick.Cart is susceptible to Cross-Site Request Forgery in the product creation functionality. A malicious actor can create a specially crafted website that, when...

OpenSolution Quick.Cart 跨站请求伪造漏洞

OpenSolution Quick.Cart is an online store system from OpenSolution Poland. A cross-site request forgery vulnerability exists in OpenSolution Quick.Cart version 6.7, which stems from a lack of cross-site request forgery protection in the product creation functionality that could lead to the...

CVE-2025-62417 bagisto - CSV Formula Injection in Create New Product

Bagisto is an open source laravel eCommerce platform. When product data that begins with a spreadsheet formula character for example =, +, -, or @ is accepted and later exported or saved into a CSV and opened in spreadsheet software, the spreadsheet will interpret that cell as a formula. This...