PT-2026-37351

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking form page url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it...

EUVD-2026-23356

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...

CVE-2026-5234

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...

CVE-2026-5234 LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::createpaymentintentfortransaction action is registered as a public action no authentication required an...

CVE-2026-5234

The LatePoint WordPress plugin (versions

WordPress Paid Membership Subscriptions - Effortless Memberships, Recurring Payments & Content Restriction plugin <= 2.11.1 - Missing Authorization via pms_stripe_connect_handle_authorization_return vulnerability

WordPress Paid Membership Subscriptions - Effortless Memberships, Recurring Payments & Content Restriction plugin = 2.11.1 - Missing Authorization via pmsstripeconnecthandleauthorizationreturn vulnerability discovered by Lucio Sá in WordPress Plugin Paid Member Subscriptions versions = 2.11.1...

PT-2025-46570

Name of the Vulnerable Software and Affected Versions Booking Calendar | Appointment Booking | Bookit plugin for WordPress versions up to and including 2.5.0 Description The Booking Calendar | Appointment Booking | Bookit plugin for WordPress is susceptible to unauthorized data modification. This...

EUVD-2023-54811

Malicious code in bioql PyPI...

WordPress Plugin Paid Membership Subscriptions Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPres...

CVE-2024-1389 Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.11.1 - Missing Authorization via pms_stripe_connect_handle_authorization_return

The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pmsstripeconnecthandleauthorizationreturn function in all versions up to, and...

PT-2024-18001 · WordPress · Paid Membership Subscriptions

Name of the Vulnerable Software and Affected Versions: Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress versions up to, and including, 2.11.1 Description: The issue allows unauthorized modification of data due to a missing...

CVE-2023-4975

The Website Builder by SeedProd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.15.13.1. This is due to missing or incorrect nonce validation on functionality in the builder.php file. This makes it possible for unauthenticated attackers to chan...

CVE-2023-4975

The Website Builder by SeedProd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.15.13.1. This is due to missing or incorrect nonce validation on functionality in the builder.php file. This makes it possible for unauthenticated attackers to chan...

Cross site request forgery (csrf)

The Website Builder by SeedProd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.15.13.1. This is due to missing or incorrect nonce validation on functionality in the builder.php file. This makes it possible for unauthenticated attackers to chan...

CVE-2023-4975

CVE-2023-4975 affects WordPress: Website Builder by SeedProd (Coming Soon/Theme Builder) up to version 6.15.13.1. The issue is CSRF in builder.php due to missing/incorrect nonce validation, enabling unauthenticated attackers to cause a settings update (e.g., changing the Stripe Connect token) by ...

CVE-2023-4975 Website Builder by SeedProd <= 6.15.13.1 - Cross-Site Request Forgery to Settings Update

The Website Builder by SeedProd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.15.13.1. This is due to missing or incorrect nonce validation on functionality in the builder.php file. This makes it possible for unauthenticated attackers to chan...

WordPress BSD Split Pay for Stripe Connect on Woo Plugin < 3.2.10 is vulnerable to Cross Site Scripting (XSS)

Software BSD Split Pay for Stripe Connect on Woo Type Plugin Vulnerable versions 3.2.10 Fixed in 3.2.10 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 4cfd0c7adef7 Credits Rafie...

Malicious Package

Overview stripe-connect-rocketrides is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if thi...

Malicious code in stripe-connect-rocketrides (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7e97a2c94dcfd44ffb0f5732e910f9abf4e1c2e2d188c646dfb13cb8fd1c4eef Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-6330 Malicious code in stripe-connect-rocketrides (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7e97a2c94dcfd44ffb0f5732e910f9abf4e1c2e2d188c646dfb13cb8fd1c4eef Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...