CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2026/04/14 9:26 p.m.•18 views

CVE-2025-15565 Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification

5.3CVSS0.00072EPSS

CNNVD•added 2026/04/14 12:0 a.m.•2 views

WordPress plugin Nexi XPay 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

5.3CVSS5.8AI score0.00072EPSS

Positive Technologies•added 2026/04/14 12:0 a.m.•2 views

PT-2026-32918

5.3CVSS5.8AI score0.00072EPSS

Exploits0References4

EUVD•added 2026/04/08 9:31 a.m.•0 views

EUVD-2026-20105

The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permissioncallback' set to 'returntrue', meaning no...

5.3CVSS5.9AI score0.00085EPSS

Exploits0References10

Positive Technologies•added 2026/04/08 12:0 a.m.•0 views

PT-2026-31096

5.3CVSS5.9AI score0.00085EPSS

Exploits0References11

EUVD•added 2026/03/21 6:30 a.m.•1 views

EUVD-2026-14187

The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any...

5.3CVSS5.9AI score0.00149EPSS

Exploits0References10

CVE•added 2026/02/04 8:25 a.m.•10 views

CVE-2026-0679

Fortis for WooCommerce (WordPress) is affected by an authorization bypass up to and including version 1.2.0 due to an inverted nonce check in check_fortis_notify_response, enabling unauthenticated attackers to change arbitrary WooCommerce order statuses (paid/processing/completed) via the wc-api ...

5.3CVSS5.5AI score0.00032EPSS

Exploits0References4

Cvelist•added 2026/02/04 8:25 a.m.•24 views

CVE-2026-0679 Fortis for WooCommerce <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint

The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'checkfortisnotifyresponse' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order...

5.3CVSS0.00032EPSS

Exploits0References4

RedhatCVE•added 2026/01/29 3:18 p.m.•4 views

CVE-2025-15511

The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handlewebhook function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending...

5.3CVSS5.9AI score0.00146EPSS

RedhatCVE•added 2026/01/21 1:32 a.m.•5 views

CVE-2025-14978

The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including,...

5.3CVSS5.7AI score0.00155EPSS

NVD•added 2026/01/20 2:15 a.m.•1 views

CVE-2025-14978

5.3CVSS0.00155EPSS

CVE•added 2026/01/20 1:22 a.m.•10 views

CVE-2025-14978

CVE-2025-14978 : PeachPay — Payments & Express Checkout for WooCommerce (WordPress) is vulnerable to unauthorized data modification due to missing capability checks on the ConvesioPay webhook REST endpoint. The flaw exists in all versions up to and including 1.119.8, enabling unauthenticated atta...

5.3CVSS5.7AI score0.00155EPSS

Cvelist•added 2026/01/20 1:22 a.m.•15 views

CVE-2025-14978 PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) <= 1.119.8 - Missing Authorization to Unauthenticated Order Status Modification

5.3CVSS0.00155EPSS

ATTACKERKB•added 2026/01/20 1:22 a.m.•4 views

CVE-2025-14978

5.3CVSS5.6AI score0.00155EPSS

Positive Technologies•added 2026/01/20 12:0 a.m.•1 views

PT-2026-3531

5.3CVSS5.7AI score0.00155EPSS

RedhatCVE•added 2026/01/17 7:15 a.m.•2 views

CVE-2026-0939

The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possibl...

5.3CVSS5.9AI score0.00051EPSS

NVD•added 2026/01/16 7:15 a.m.•3 views

CVE-2026-0942

The Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs function in all versions up to, and including, 5.1.5. This makes it possible for unauthenticated...

5.3CVSS0.00039EPSS

Cvelist•added 2026/01/16 6:43 a.m.•25 views

CVE-2026-0942 Rede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.5 - Missing Authorization to Unauthenticated Rede Order Logs Deletion

5.3CVSS0.00039EPSS

RedhatCVE•added 2026/01/15 7:23 a.m.•3 views

CVE-2025-15512

The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checksuccessresponse function in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to set any WooCommerce order ...

5.3CVSS5.9AI score0.00128EPSS