3 matches found
CVE-2026-11855
CVE-2026-11855 affects the Simple Membership WordPress plugin prior to 4.7.5. The issue arises because Stripe webhook requests are not authenticated when no signing secret is configured, and a value taken from those requests is not escaped before being output in an administrator notice. This lead...
CVE-2025-53392
CVE-2025-53392 : In pfSense CE 2.8.0, the WebCfg - Diagnostics: Command privilege allows an authenticated user to download/read arbitrary files via a directory traversal in diag_command.php (dlPath). This is a local file-disclosure vulnerability, with evidence of PoC/exploit activity (e.g., publi...
Shopify: Accessing Payments page and adding payment methods with limited access accounts
Users with the Orders permission were allowed to see the store's payment gateway information. This page should have been restricted to users with the Settings permission only. Using this vulnerability a User with limited access/ No access to Settings could add/alter/change Payment settings while...