EUVD-2026-33409

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, CreateOrderFromCartAction::execute previously created the Order row before checking and incrementing the discount's totaluse counter. Under concurrent checkout pressure Black Friday, flash sale, viral coupon, the global usagelimit was...

CVE-2026-9284

CVE-2026-9284 affects the WooCommerce PayPal Payments plugin for WordPress (all versions up to and including 4.0.1). The vulnerability stems from missing authorization checks on the WC‑AJAX endpoints ppc-create-order and ppc-get-order , allowing unauthorized manipulation of PayPal orders and expo...

CVE-2026-9284 WooCommerce PayPal Payments <= 4.0.1 - Missing Authorization to Unauthenticated Order Manipulation and Information Disclosure

The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints in all versions up to, and including, 4.0.1. The ppc-create-order endpoi...

CVE-2026-9284

The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints in all versions up to, and including, 4.0.1. The ppc-create-order endpoi...

WordPress plugin WooCommerce PayPal Payments 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

Exploit for CVE-2025-14156

CVE-2025-14156 Fox LMS – WordPress LMS Plugin 1.0.4.7 - 1.0.5...

CVE-2025-14156

The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the /fox-lms/v1/payments/create-order REST API endpoint...

EUVD-2025-203362

The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the /fox-lms/v1/payments/create-order REST API endpoint...

CVE-2025-14156

The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the /fox-lms/v1/payments/create-order REST API endpoint...

CVE-2025-14156 Fox LMS – WordPress LMS Plugin 1.0.4.7 - 1.0.5.1 - Unauthenticated Privilege Escalation via 'createOrder'

The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the /fox-lms/v1/payments/create-order REST API endpoint...

CVE-2025-14156

Fox LMS – WordPress LMS Plugin (versions prior to 1.0.5.1) is vulnerable to unauthenticated privilege escalation via the /fox-lms/v1/payments/create-order endpoint, caused by invalid validation of the 'role' parameter. This allows an attacker to create user accounts with arbitrary roles (includin...

CVE-2025-14156 Fox LMS – WordPress LMS Plugin 1.0.4.7 - 1.0.5.1 - Unauthenticated Privilege Escalation via 'createOrder'

The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the /fox-lms/v1/payments/create-order REST API endpoint...

EUVD-2025-28768

Malicious code in bioql PyPI...

Code-Projects Inventory Management System 注入漏洞

Inventory Management System is an inventory management system. The Inventory Management System suffers from a SQL injection vulnerability that originates in the /phpaction/createOrder.php file, which does not adequately filter user input. An attacker can exploit this vulnerability by remotely...

CVE-2024-6010

The Cost Calculator Builder PRO plugin for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.2.1. This is due to the plugin allowing the price field to be manipulated prior to processing via the 'createccorder' function, called from the Cost Calculator Builder...

Shopify: Injection via CSV Export feature in Admin Orders

i found out that the filtering of "=,-,+" is not working in all data. there's a way to bypass it. 1. Create a product with title =cmd|' /C calc'!'D2' 2. Add variants more than 2 variants then save it. 3. Go to Orders Create Order 4. search the product we made =cmd|' /C calc'!'D2' 5. Add 2 variant...