CVE-2026-8611

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoiceid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2026-8611

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoiceid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

PT-2026-47141

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2026-2991 KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the patientSocialLogin function not verifying the social provider access token before authenticating a user. This makes it...

CVE-2025-14294 Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials permission callback always returning true,...

CVE-2025-14294 Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials permission callback always returning true,...

EUVD-2021-34763

Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests and potentially execute session hijacking or...

CVE-2025-13085

The SiteSEO – SEO Simplified plugin for WordPress is vulnerable to Improper Authorization leading to Sensitive Post Meta Disclosure in versions up to and including 1.3.2. This is due to missing object-level authorization checks in the resolvevariables AJAX handler. This makes it possible for...

lemlist: Authentication Bypass in Subscription Management Endpoint

A vulnerability was identified in the subscription management functionality that allowed unauthorized access to customer billing information. The issue stemmed from insufficient authentication and authorization controls on an API endpoint. The vulnerability was classified as an Insecure Direct...

PT-2025-44275

Name of the Vulnerable Software and Affected Versions Call Now Button versions prior to 1.5.5 Description The Call Now Button plugin for WordPress is susceptible to unauthorized data access because of a missing capability check in multiple functions. Attackers with Subscriber-level access or high...

MAL-2025-7119 Malicious code in @billing-info/common (npm)

The package @billing-info/common was found to contain malicious code...

CVE-2022-2429

The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing...

Unspecified vulnerability in Lunary (CNVD-2025-06937)

Lunary is Lunary open source a production toolkit for LLM . Lunary has a security vulnerability that stems from improper privilege management, which can be exploited by an attacker to cause an administrator to bypass role controls to access billing information...

Lunary 访问控制错误漏洞

Lunary is Lunary open source a production toolkit for LLM . Lunary has a security vulnerability that stems from improper privilege management, which can be exploited by an attacker to cause an administrator to bypass role controls to access billing information...

CVE-2022-2429

The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing...

Input validation

The Ultimate SMS Notifications for WooCommerce plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 1.4.1 via the 'Export Utility' functionality. This makes it possible for authenticated attackers, such as a subscriber, to add untrusted input into billing...

PT-2022-22321 · Tabit · Tabit

Name of the Vulnerable Software and Affected Versions: Tabit affected versions not specified Description: The issue concerns the disclosure of sensitive information through several APIs on the Tabit web system. These APIs display health statements, previous bills, alcohol consumption, and smoking...

Hacked Data for 69K LimeVPN Users Up for Sale on Dark Web

The VPN provider known as LimeVPN has been hit with a hack affecting 69,400 user records, according to researchers. A hacker claims to have stolen the company’s entire customer database before knocking its website offline Threatpost confirmed that as of press time, the website was down. The stole...

Hackers Compromise T-Mobile Employee' Email Accounts and Steal User' Data

If you are a T-Mobile customer, this news may concern you. US-based telecom giant T-Mobile has suffered yet another data breach incident that recently exposed personal and accounts information of both its employees and customers to unknown hackers. What happened? In a breach notification posted o...

Stripo Inc: Clickjacking on my.stripo.email for MailChimp credentials

Clickjacking is a malicious hacking technique where attackers can acquire sensitive data. Through simple social engineering techniques these links can be sent out to unsuspecting customers to steal their credentials or perform actions on their accounts. For this example I saw that where I goto...