CVE-2026-2262 Easy Appointments <= 3.12.21 - Unauthenticated Sensitive Information Exposure via REST API

The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the /wp-json/wp/v2/eablocks/eaappointments/ REST API endpoint. This is due to the endpoint being registered with 'permissioncallback' = 'returntrue', which...

CVE-2026-32712 Open Source Point of Sale has Stored XSS in Customer Name (Sales)

Open Source Point of Sale is a web based point-of-sale application written in PHP using CodeIgniter framework. Prior to 3.4.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Daily Sales management table. The customername column is configured with escape: false in the bootstrap-tabl...

CVE-2025-10731

The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the allReminderSettings function. This makes it possible for...

GHSA-7VVP-J573-5584 Shopware: Unauthenticated data extraction possible through store-api.order endpoint

Summary An insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. Details Data Exposure Depending on the order payload configuration, attackers may retrieve: -...

CVE-2026-1980

CVE-2026-1980 refers to the WPBookit WordPress plugin, affecting versions up to 1.0.8. Root cause: missing authorization on the get_customer_list route, enabling unauthenticated attackers to disclose sensitive customer data (names, emails, phone numbers, dates of birth, gender). Impact: unauthori...

CVE-2026-1431 Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure

The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbcajaxWPBCFLEXTIMELINENAV function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information...

CVE-2026-1431

The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbcajaxWPBCFLEXTIMELINENAV function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information...

MRW plugin information disclosure vulnerability

MRW plugin is a logistics transportation and services plugin from MRW Spain. An information disclosure vulnerability exists in MRW plugin version 5.4.3. A remote attacker could use this vulnerability to obtain order information from other customers and access sensitive information such as names a...

saleor 输入验证错误漏洞

Github saleor is a headless GraphQL commerce platform that delivers a super-fast, dynamic, personalized shopping experience. Beautiful online store, anywhere, on any device. saleor suffers from an input validation error vulnerability that stems from a number of GraphQL mutations that do not...

CVE-2022-28448

nopCommerce 4.50.1 is vulnerable to Cross Site Scripting XSS. An attacker role customer can inject javascript code to First name or Last name at Customer Info...

Virgin Media Data Leak Exposes Details of 900,000 Customers

On the same day yesterday, when the US-based telecom giant T-Mobile admitted a data breach, the UK-based telecommunication provider Virgin Media announced that it has also suffered a data leak incident exposing the personal information of roughly 900,000 customers. What happened? Unlike the...

Hackers Stole Customers' Payment Card Details From Over 700 Wawa Stores

Have you stopped at any Wawa convenience store and used your payment card to buy gas or snacks in the last nine months? If yes, your credit and debit card details may have been stolen by cybercriminals. Wawa, the Philadelphia-based gas and convenience store chain, disclosed a data breach incident...

LocalTapiola: Lahitapiola´s customer names send to 3rd party

Issue The reporter found that a logged on customers real name but no further personal information could leak to a 3rd party site in certain transaction processes. Fix The issue was investigated and found to be valid. Reasoning The reported case was valid and although not a vulnerability as such, ...

Shopify: unauthorized access to all customers first and last name

This issue allowed any merchant to search for users by their ID. The search would retrieve the first name and last name of any registered customer that belonged to any shop in Shopify...

OneWorldStore IDOrder Information Disclosure Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/13361/info OneWorldStore is prone to an information disclosure vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. Exploitation of this vulnerability would expose the...

Kroger Customer Database Hacked !

Kroger Customer Database Hacked ! The company announced in an e-mail to customers their system has been hacked by someone outside the company. This means the hacker had access to customer names and e-mail addresses contained in the Kroger database. Kroger stresses only the names and e-mail...

CVE-2011-0745

SugarCRM before 6.1.3 does not properly handle reloads and direct requests for a warning page produced by a certain duplicate check, which allows remote authenticated users to discover 1 the names of customers via a ShowDuplicates action to the Accounts module, reachable through index.php; or 2 t...

CVE-2011-0745

SugarCRM prior to 6.1.3 is affected by CVE-2011-0745. The issue arises when reloading or directly requesting a warning page produced by a duplicate-check, allowing remote authenticated users to see names they normally should not access: (1) customer names via ShowDuplicates in the Accounts module...

OneWorldStore - IDOrder Information Disclosure

source: https://www.securityfocus.com/bid/13361/info OneWorldStore is prone to an information disclosure vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. Exploitation of this vulnerability would expose the customer names, as they appear on...

OneWorldStore - IDOrder Information Disclosure

OneWorldStore - IDOrder Information Disclosure source: https://www.securityfocus.com/bid/13361/info OneWorldStore is prone to an information disclosure vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. Exploitation of this vulnerability wou...