EUVD-2026-17654

AVideo: Arbitrary Stripe Subscription Cancellation via Debug Endpoint and retrieveSubscriptions Bug...

CVE-2026-34737

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the StripeYPT plugin includes a test.php debug endpoint that is accessible to any logged-in user, not just administrators. This endpoint processes Stripe webhook-style payloads and triggers subscription operations, includin...

CVE-2024-11205

The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpformsisadminpage' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level acces...

CVE-2024-11205

The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpformsisadminpage' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level acces...

CVE-2024-11205

The CVE-2024-11205 entry applies to the WPForms WordPress plugin. A missing capability check in wpforms_is_admin_page affects versions 1.8.4 through 1.9.2.1, enabling authenticated users with Subscriber-level access and above to refund payments and cancel subscriptions. The issue is mitigated by ...

PT-2024-9554 · Stripe · Stripe

Name of the Vulnerable Software and Affected Versions: WPForms versions 1.8.4 through 1.9.2.1 Description: The issue is related to a missing capability check in the wpforms is admin page function, which allows authenticated attackers with Subscriber-level access and above to refund payments and...