CVE-2026-41471

The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress po...

CVE-2026-41471

The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress po...

CVE-2026-41471

The CVE concerns the Easy PayPal Events & Tickets WordPress plugin (version 1.3 and earlier). A vulnerability in the QR code scanning endpoint (scan_qr.php) allows unauthenticated attackers to enumerate and retrieve all customer order records by iterating sequential WordPress post IDs, exposing s...

CVE-2026-31887

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

Incorrect Authorization

Shopware is vulnerable to Incorrect Authorization. The vulnerability is due to insufficient validation of filter types in the store-api.order endpoint, which allows an attacker to access orders belonging to other customers without authentication...

CVE-2026-31887 Shopware unauthenticated data extraction possible through store-api.order endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

EUVD-2025-35206

Shopware Customer Orders can be canceled, even if refunds are disabled...

EUVD-2013-3530

Malware in sbrugna...

EUVD-2023-43846

Malicious code in bioql PyPI...

EUVD-2022-4630

Malicious code in bioql PyPI...

SQL Injection

Dolibarr/dolibarr is vulnerable to SQL injection. An authenticated user with privileges to view customer orders could perform a Time Based attack via the POST parameter objectstatus in commande/stats/index.php...

Shopify: Order lookup features of Shopify Chat Application leads to customer orders enumeration due to lack of user input validation

It came to my attention that the Shopify Chat application allows a customer to retrieve its order status by only providing the order email and number. Noticing that it results in being provided the order status page link, I started playing a bit with both parameters and I found out that it is...

Data Leak Impacts Millions of Yves Rocher Cosmetics Company Customers

UPDATE Cosmetics giant Yves Rocher is warning that a giant data leak exposed the personal data of millions of its customers and reams of sensitive internal company information to the public. The data exposure stems from a database left unprotected by a third-party consultant to the firm...

Shopware 5.2.5 / 5.3 Cross Site Scripting

Document Title: =============== Shopware 5.2.5 & v5.3 - Multiple Cross Site Scripting Web Vulnerabilities References Source: ==================== http://www.vulnerability-lab.com/getcontent.php?id=1922 Shopware Security Tracking ID: SW-19834 Security Update:...

Design/Logic Flaw

AdvancePro Advanceware allows remote authenticated users to obtain sensitive information about arbitrary customers' orders via a modified id parameter...