Lucene search
K

1149 matches found

OSV
OSV
added 2026/03/10 6:24 p.m.8 views

GHSA-MJ32-R678-7MVP Craft Commerce has stored XSS in Craft Commerce Order Details Slideout

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the inject...

4.8CVSS5.8AI score0.00211EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.3 views

PT-2026-24629

Summary A Stored Cross-Site Scripting XSS vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the order details slideout via a double-click on the order index page, the inject...

4.8CVSS5.8AI score
Exploits0References4
CNNVD
CNNVD
added 2026/03/10 12:0 a.m.8 views

Craft Commerce 跨站脚本漏洞

Craft Commerce is an e-commerce platform developed under the open-source Craft CMS framework. Versions prior to 4.10.2 and 5.5.3 of Craft Commerce contained a cross-site scripting vulnerability. This vulnerability stemmed from improper filtering of the Shipping Method Name, Order Reference, or Si...

5.4CVSS5.7AI score0.00211EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2026/03/10 12:0 a.m.6 views

PT-2026-24419

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Craft Commerce Order details. Malicious JavaScript can be injected via the Shipping Method Name, Order Reference, or Site Name. When a user opens the ord...

4.8CVSS5.8AI score0.00211EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/03/05 1:57 a.m.6 views

CVE-2026-2292

The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS5.9AI score0.00249EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/04 3:31 a.m.6 views

EUVD-2026-9354

The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS5.9AI score0.00249EPSS
Exploits0References5
NVD
NVD
added 2026/03/04 2:15 a.m.10 views

CVE-2026-2292

The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS0.00249EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/04 1:21 a.m.3 views

CVE-2026-2292 Morkva UA Shipping <= 1.7.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Weight, kg' Field

The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS5.9AI score0.00249EPSS
Exploits0References4
CVE
CVE
added 2026/03/04 1:21 a.m.16 views

CVE-2026-2292

CVE-2026-2292 – Morkva UA Shipping (WordPress) vulnerability : Stored XSS in admin settings affecting versions up to 1.7.9. Exploitation requires ADMINISTRATOR+ privileges, with impact on pages rendered for users; affects multisite setups and sites where unfiltered_html is disabled. Root cause is...

4.4CVSS5.9AI score0.00249EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/04 1:21 a.m.34 views

CVE-2026-2292 Morkva UA Shipping <= 1.7.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Weight, kg' Field

The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS0.00249EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/03/04 1:21 a.m.1 views

CVE-2026-2292

The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS5.9AI score0.00249EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/04 12:0 a.m.11 views

WordPress plugin Morkva UA Shipping 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

4.4CVSS5.7AI score0.00249EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/03/04 12:0 a.m.11 views

PT-2026-22861

The Morkva UA Shipping plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.7.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS5.9AI score0.00249EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/03/03 11:47 p.m.11 views

WordPress Morkva UA Shipping plugin <= 1.7.9 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Weight, kg' Field vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via 'Weight, kg' Field vulnerability discovered by Phap Nguyen Anh - FIS in WordPress Plugin Morkva UA Shipping versions = 1.7.9...

4.4CVSS5.9AI score0.00249EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/19 4:36 a.m.3 views

CVE-2025-14294 Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials permission callback always returning true,...

5.3CVSS5.6AI score0.00353EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/19 4:36 a.m.30 views

CVE-2025-14294 Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials permission callback always returning true,...

5.3CVSS0.00353EPSS
Exploits0References5
Malwarebytes
Malwarebytes
added 2026/02/17 1:50 p.m.16 views

Scam Guard for desktop: A second set of eyes for suspicious moments

Scams aren’t so obvious anymore. They're well-written, have working grammar, and can lead victims to very convincing branded webpages. Scammers increasingly use AI tools to clone sites and create highly sophisticated scams at scale, so don't expect to rely on spotting obvious typos anymore. That’...

5.7AI score
Exploits0
Veracode
Veracode
added 2026/02/09 8:38 p.m.7 views

Cross-site Scripting (XSS)

craftcms/commerce is vulnerable to Cross-site Scripting XSS. The vulnerability is due to improper sanitization of the Shipping Zone name and description fields in the Store Management section, which allows an attacker to inject and execute malicious JavaScript in an administrator’s browser via th...

6.1CVSS5.6AI score0.00261EPSS
Exploits1References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/02/04 7:28 p.m.3 views

CVE-2026-25485

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories Name &...

6.2CVSS5.4AI score0.00261EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/02/04 7:28 p.m.3 views

CVE-2026-25522

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone Name & Descriptio...

6.1CVSS5.4AI score0.00261EPSS
Exploits1References1
Rows per page
Query Builder