Lucene search
K

96 matches found

CVE
CVE
added yesterday11 views

CVE-2026-5356

The CVE-2026-5356 entry concerns the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress, affected up to version 5.4.0. The root cause is improper input validation in the Stripe Connect payment processor, which accepts a client-supplied PaymentIntent ID. This misstep can...

7.5CVSS6AI score
Exploits0References2
Cvelist
Cvelist
added yesterday7 views

CVE-2026-5356 LatePoint - Calendar Booking Plugin for Appointments and Events <= 5.4.0 - Unauthenticated Stripe PaymentIntent Amount-Binding Bypass

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it...

7.5CVSS
Exploits0References2
NVD
NVD
added 2026/06/27 8:16 a.m.10 views

CVE-2026-12432

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfsupdatefailedpaymentstatus AJAX action. The handler is registered through both wpajax and wpajaxnopriv hooks and the underlying updatefailedpaymentstatus function...

5.3CVSS0.00323EPSS
Exploits2References10
ATTACKERKB
ATTACKERKB
added 2026/06/27 6:50 a.m.12 views

CVE-2026-12432

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfsupdatefailedpaymentstatus AJAX action. The handler is registered through both wpajax and wpajaxnopriv hooks and the underlying updatefailedpaymentstatus function...

5.3CVSS5.6AI score0.00323EPSS
Exploits2References11
CVE
CVE
added 2026/06/16 9:31 a.m.56 views

CVE-2026-2381

The CVE concerns the WooCommerce Stripe Payment Gateway plugin for WordPress, affected in all versions up to 10.7.0. Root cause: missing capability check and missing order ownership/order_key verification in the wc_stripe_pay_for_order WC‑AJAX endpoint, with only a nonce validation. Impact: unaut...

6.5CVSS5.3AI score0.00267EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/05/25 10:29 p.m.14 views

CVE-2026-45217

Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemeHigh Stripe Payment Gateway for WooCommerce allows Password Recovery Exploitation. This issue affects Stripe Payment Gateway for WooCommerce: from n/a through 5.0.7...

6.5CVSS5.8AI score0.00352EPSS
Exploits0References2
CVE
CVE
added 2026/05/25 10:29 p.m.33 views

CVE-2026-45217

CVE-2026-45217 concerns the WordPress Stripe Payment Gateway for WooCommerce plugin (≤ 5.0.7). Connected sources describe a Broken Authentication vulnerability allowing an Authentication Bypass via an alternate path or channel, enabling Password Recovery Exploitation. Affected component is the St...

6.5CVSS5.8AI score0.00352EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/25 12:0 a.m.15 views

PT-2026-43147

Name of the Vulnerable Software and Affected Versions Stripe Payment Gateway for WooCommerce versions prior to 5.0.8 Description An authentication bypass using an alternate path or channel exists in the ThemeHigh Stripe Payment Gateway for WooCommerce, which allows for password recovery...

6.5CVSS5.8AI score0.00352EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/25 12:0 a.m.10 views

WordPress plugin Stripe Payment Gateway for WooCommerce 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

6.5CVSS5.8AI score0.00352EPSS
Exploits0References1
NVD
NVD
added 2026/04/30 10:16 a.m.5 views

CVE-2026-6498

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...

5.3CVSS0.00185EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/04/30 9:29 a.m.3 views

CVE-2026-6498 Five Star Restaurant Reservations <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...

5.3CVSS5.4AI score0.00185EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/04/30 9:29 a.m.33 views

CVE-2026-6498 Five Star Restaurant Reservations <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...

5.3CVSS0.00185EPSS
Exploits0References7
EUVD
EUVD
added 2026/04/30 9:29 a.m.5 views

EUVD-2026-26361

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...

5.3CVSS5.5AI score0.00185EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/04/30 9:29 a.m.4 views

CVE-2026-6498

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...

5.3CVSS5.4AI score0.00185EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/04/30 12:0 a.m.6 views

PT-2026-36086

Name of the Vulnerable Software and Affected Versions Five Star Restaurant Reservations versions prior to 2.7.17 Description A payment bypass exists due to PHP type juggling, which occurs when a loose comparison is used between different data types, potentially leading to unexpected true results...

5.3CVSS5.4AI score0.00185EPSS
Exploits0References10
EUVD
EUVD
added 2026/03/30 6:8 p.m.5 views

EUVD-2026-16752

AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page...

8.2CVSS5.9AI score0.00296EPSS
Exploits1References3
OSV
OSV
added 2026/03/30 6:8 p.m.2 views

GHSA-PM37-62G7-P768 AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page

Summary The YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the framework's input filter lists defined in security.php, so it passes through...

8.2CVSS6.4AI score0.00296EPSS
Exploits1References4
Snyk
Snyk
added 2026/03/29 3:11 p.m.4 views

Replay Attack

Overview mppx is a /picture Affected versions of this package are vulnerable to Replay Attack via the stripe/charge file. An attacker can consume unlimited resources by replaying a valid credential containing the same spt token against a new challenge, causing the server to accept the replayed...

8.1CVSS5.9AI score0.00494EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/29 3:11 p.m.3 views

mppx has Stripe charge credential replay via missing idempotency check

Impact The stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a ne...

8.1CVSS5.9AI score0.00494EPSS
Exploits0References6Affected Software1
Cvelist
Cvelist
added 2026/03/27 6:17 p.m.20 views

CVE-2026-34375 AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the...

8.2CVSS0.00296EPSS
Exploits1References2
Rows per page
Query Builder