Lucene search
K

1750 matches found

Nuclei
Nuclei
added 11 hours ago25 views

WooCommerce Swipe <= 2.7.1 - Cross-Site Scripting

A cross-site scripting vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the apiurl parameter. id: CVE-2014-4558 info: name: WooCommerce Swipe = 2.7.1 - Cross-Site...

6.1CVSS6.5AI score0.04055EPSS
Exploits2References4
Nuclei
Nuclei
added 11 hours ago72 views

WooCommerce Checkout Field Manager < 18.0 - Arbitrary File Upload

The WooCommerce Checkout Field Manager WordPress plugin before 18.0 does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server. id: CVE-2022-4328 info: name: WooCommerce Checkout Field Manager 18.0 - Arbitrary File Uploa...

9.8CVSS7.1AI score0.04427EPSS
Exploits2References3
Nuclei
Nuclei
added 11 hours ago27 views

Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update

The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction function...

9.8CVSS6.8AI score0.54754EPSS
Exploits6References3
Snyk
Snyk
added 5 days ago3 views

Incorrect Authorization

Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to Incorrect Authorization due to improper authorization in the legacy license checkin process. An attacker can reclaim license seats assigned to other users or assets by...

5.3CVSS6.1AI score0.00238EPSS
Exploits0References2
NVD
NVD
added 5 days ago5 views

CVE-2026-13039

The Eventin – Event Calendar, Event Registration, Tickets & Booking AI Powered plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform a...

5.3CVSS0.00257EPSS
Exploits0References2
EUVD
EUVD
added 5 days ago5 views

EUVD-2026-43025

The Eventin – Event Calendar, Event Registration, Tickets & Booking AI Powered plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform a...

5.3CVSS6.1AI score0.00257EPSS
Exploits0References2
NVD
NVD
added 5 days ago6 views

CVE-2026-55515

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...

5CVSS0.00248EPSS
Exploits1References3
EUVD
EUVD
added 5 days ago7 views

EUVD-2026-42998

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the legacy single-seat license checkin flow authorizes the action with the checkout permission instead of the checkin permission, allowing a user who can assign licenses but not unassign them to directly access the old checkin...

5.3CVSS6.1AI score0.00238EPSS
Exploits0References3
CVE
CVE
added 5 days ago6 views

CVE-2026-55479

Snipe-IT before 8.6.2 contains a logic flaw in the legacy single-seat license checkin flow: the action is authorized with checkout permission instead of checkin permission, allowing a user who can assign licenses (but not unassign them) to access the old checkin endpoint and reclaim a license sea...

5.3CVSS6.1AI score0.00238EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 5 days ago31 views

CVE-2026-55515 Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpoint

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...

5CVSS0.00248EPSS
Exploits1References3
CVE
CVE
added 5 days ago8 views

CVE-2026-55515

CVE-2026-55515 affects Snipe-IT prior to version 8.6.2. The unaccepted-assets report delete endpoint erroneously authorizes on a global ID: it allows a reports user in one company to delete pending CheckoutAcceptance records for another company by calling CheckoutAcceptance::pending()-&gt;find($a...

5CVSS6.1AI score0.00248EPSS
Exploits1References3Affected Software1
OSV
OSV
added 5 days ago2 views

CVE-2026-55515 Snipe-IT: Cross-company deletion of pending checkout acceptances via unscoped report endpoint

Snipe-IT is an IT asset/license management system. Prior to 8.6.2, the unaccepted-assets report delete endpoint authorizes only reports.view and deletes CheckoutAcceptance::pending-find$acceptanceId by global ID without checking access to the related checkoutable asset, allowing a reports user in...

5CVSS6.1AI score0.00248EPSS
Exploits1References5
NVD
NVD
added 5 days ago6 views

CVE-2026-6802

The Easy Upload Files During Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.0.1. This is due to missing authorization checks in the ufdccustominit function, which processes the 'eufdc-delete' parameter without any nonce verification,...

5.3CVSS0.00243EPSS
Exploits0References8
Patchstack
Patchstack
added 6 days ago5 views

WordPress Easy Upload Files During Checkout plugin <= 3.0.1 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Attachment Deletion vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Easy Upload Files During Checkout versions = 3.0.1...

5.3CVSS6.1AI score0.00243EPSS
Exploits0References1Affected Software1
NVD
NVD
added 6 days ago9 views

CVE-2026-59817

Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing...

5.3CVSS0.00257EPSS
Exploits0References5
OSV
OSV
added 6 days ago3 views

CVE-2026-59817 Ghost: Paid gift memberships obtainable at minimal cost via the donations feature

Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing...

5.3CVSS6AI score0.00257EPSS
Exploits0References7
Cvelist
Cvelist
added 6 days ago36 views

CVE-2026-59817 Ghost: Paid gift memberships obtainable at minimal cost via the donations feature

Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing...

5.3CVSS0.00257EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-59817

Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing...

5.3CVSS5.8AI score0.00257EPSS
Exploits0References6Affected Software1
CVE
CVE
added 6 days ago13 views

CVE-2026-59817

Ghost is a Node.js content management system. Affects versions from 6.27.0 up to but not including 6.44.0; the public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment, without exposing cust...

5.3CVSS5.8AI score0.00257EPSS
Exploits0References5
NVD
NVD
added 2026/07/06 10:16 p.m.8 views

CVE-2026-43927

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, a race condition in the cart checkout flow allows an authenticated client to apply a promo code beyond its configured maximum uses. By sending concurrent checkout requests before any single request...

6.9CVSS0.0022EPSS
Exploits0References1
Rows per page
Query Builder