96 matches found
CVE-2026-5356
The CVE-2026-5356 entry concerns the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress, affected up to version 5.4.0. The root cause is improper input validation in the Stripe Connect payment processor, which accepts a client-supplied PaymentIntent ID. This misstep can...
CVE-2026-5356 LatePoint - Calendar Booking Plugin for Appointments and Events <= 5.4.0 - Unauthenticated Stripe PaymentIntent Amount-Binding Bypass
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it...
CVE-2026-12432
The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfsupdatefailedpaymentstatus AJAX action. The handler is registered through both wpajax and wpajaxnopriv hooks and the underlying updatefailedpaymentstatus function...
CVE-2026-12432
The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfsupdatefailedpaymentstatus AJAX action. The handler is registered through both wpajax and wpajaxnopriv hooks and the underlying updatefailedpaymentstatus function...
CVE-2026-2381
The CVE concerns the WooCommerce Stripe Payment Gateway plugin for WordPress, affected in all versions up to 10.7.0. Root cause: missing capability check and missing order ownership/order_key verification in the wc_stripe_pay_for_order WC‑AJAX endpoint, with only a nonce validation. Impact: unaut...
CVE-2026-45217
Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemeHigh Stripe Payment Gateway for WooCommerce allows Password Recovery Exploitation. This issue affects Stripe Payment Gateway for WooCommerce: from n/a through 5.0.7...
CVE-2026-45217
CVE-2026-45217 concerns the WordPress Stripe Payment Gateway for WooCommerce plugin (≤ 5.0.7). Connected sources describe a Broken Authentication vulnerability allowing an Authentication Bypass via an alternate path or channel, enabling Password Recovery Exploitation. Affected component is the St...
PT-2026-43147
Name of the Vulnerable Software and Affected Versions Stripe Payment Gateway for WooCommerce versions prior to 5.0.8 Description An authentication bypass using an alternate path or channel exists in the ThemeHigh Stripe Payment Gateway for WooCommerce, which allows for password recovery...
WordPress plugin Stripe Payment Gateway for WooCommerce 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...
CVE-2026-6498
The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...
CVE-2026-6498 Five Star Restaurant Reservations <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter
The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...
CVE-2026-6498 Five Star Restaurant Reservations <= 2.7.16 - Unauthenticated Payment Bypass via PHP Type Juggling in 'payment_id' Parameter
The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...
EUVD-2026-26361
The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...
CVE-2026-6498
The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the validpayment function using a PHP loose comparison == between the attacker-controlled paymentid POST parameter and the...
PT-2026-36086
Name of the Vulnerable Software and Affected Versions Five Star Restaurant Reservations versions prior to 2.7.17 Description A payment bypass exists due to PHP type juggling, which occurs when a loose comparison is used between different data types, potentially leading to unexpected true results...
EUVD-2026-16752
AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page...
GHSA-PM37-62G7-P768 AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
Summary The YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the framework's input filter lists defined in security.php, so it passes through...
Replay Attack
Overview mppx is a /picture Affected versions of this package are vulnerable to Replay Attack via the stripe/charge file. An attacker can consume unlimited resources by replaying a valid credential containing the same spt token against a new challenge, causing the server to accept the replayed...
mppx has Stripe charge credential replay via missing idempotency check
Impact The stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a ne...
CVE-2026-34375 AVideo Vulnerable to Reflected XSS via Unsanitized plugin Parameter in YPTWallet Stripe Payment Page
WWBN AVideo is an open source video platform. In versions up to and including 26.0, the YPTWallet Stripe payment confirmation page directly echoes the $REQUEST'plugin' parameter into a JavaScript block without any encoding or sanitization. The plugin parameter is not included in any of the...