CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

34 matches found

EUVD•added 2026/04/22 9:31 p.m.•11 views

EUVD-2026-22853

The Visa Acceptance Solutions plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 2.1.0. This is due to the expresspayproductpagepayfororder function logging users in based solely on a user-supplied billing email address during guest checkout for...

9.8CVSS5.6AI score0.00475EPSS

Exploits0References6

NVD•added 2026/04/15 9:16 a.m.•5 views

CVE-2026-3461

9.8CVSS0.00475EPSS

Exploits0References5

Cvelist•added 2026/04/15 8:28 a.m.•35 views

CVE-2026-3461 Visa Acceptance Solutions <= 2.1.0 - Unauthenticated Authentication Bypass via Billing Email

9.8CVSS0.00475EPSS

Exploits0References5

Positive Technologies•added 2026/04/15 12:0 a.m.•7 views

PT-2026-33018

Name of the Vulnerable Software and Affected Versions Visa Acceptance Solutions versions prior to 2.1.1 Description The Visa Acceptance Solutions plugin for WordPress allows unauthenticated attackers to log in as any existing user, including administrators. This occurs because the express pay...

9.8CVSS5.2AI score0.00475EPSS

Exploits0References8

Veracode•added 2026/02/21 5:8 a.m.•5 views

Insecure Direct Object Reference (IDOR)

spreeapi is vulnerable to Insecure Direct Object Reference IDOR. The vulnerability is due to improper ownership validation in the guest checkout flow, which allows an attacker to manipulate address ID parameters and bind arbitrary guest addresses to their order...

8.7CVSS5.9AI score0.00599EPSS

Exploits1References11Affected Software1

RedhatCVE•added 2026/02/08 1:21 a.m.•6 views

CVE-2026-25758

Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to...

8.7CVSS5.6AI score0.00599EPSS

Exploits1References1

NVD•added 2026/02/06 10:16 p.m.•8 views

CVE-2026-25758

8.7CVSS0.00599EPSS

Exploits1References10

Cvelist•added 2026/02/06 9:29 p.m.•28 views

CVE-2026-25758 Spree allows unauthenticated users can access all guest addresses

8.7CVSS0.00599EPSS

Exploits1References10

ATTACKERKB•added 2026/02/06 9:29 p.m.•5 views

CVE-2026-25758

8.7CVSS5.7AI score0.00599EPSS

Exploits1References11Affected Software1

CVE•added 2026/02/06 9:29 p.m.•12 views

CVE-2026-25758

CVE-2026-25758 is a high-severity IDOR in Spree Commerce’s guest checkout that lets an attacker bind arbitrary guest addresses to an order by manipulating plain address_id parameters. The issue bypasses ownership validation because guest orders have nil user_id, rendering the checks in address_bo...

8.7CVSS5.6AI score0.00599EPSS

Exploits1References10Affected Software1

Vulnrichment•added 2026/02/06 9:29 p.m.•6 views

CVE-2026-25758 Spree allows unauthenticated users can access all guest addresses

8.7CVSS5.8AI score0.00599EPSS

Exploits1References10

EUVD•added 2026/02/06 9:29 p.m.•6 views

EUVD-2026-5563

8.7CVSS5.7AI score0.00599EPSS

Exploits1References10

Github Security Blog•added 2026/02/05 9:19 p.m.•8 views

Unauthenticated Spree Commerce users can access all guest addresses

Summary A critical IDOR vulnerability exists in Spree Commerce's guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests' personally identifiable information PII includi...

8.7CVSS5.9AI score0.00599EPSS

Exploits1References13Affected Software1

Snyk•added 2026/02/05 9:19 p.m.•1 views

Authorization Bypass Through User-Controlled Key

Overview spreeapi is a Spree Api module Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the billaddressid and shipaddressid parameters in the checkout process. An attacker can gain unauthorized access to other users' personally identifiable...

8.7CVSS5.8AI score0.00599EPSS

Exploits1References2

Snyk•added 2026/02/05 9:19 p.m.•2 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the billaddressid and shipaddressid parameters in the checkout process. An attacker can gain unauthorized access to other users' personally identifiable information by manipulating...

8.7CVSS5.8AI score0.00599EPSS

Exploits1References2

Positive Technologies•added 2026/02/05 12:0 a.m.•5 views

PT-2026-6727

Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.3 Spree versions prior to 5.0.8 Spree versions prior to 5.1.10 Spree versions prior to 5.2.7 Spree versions prior to 5.3.2 Description An IDOR vulnerability exists in Spree Commerce's guest checkout flow. This allo...

8.7CVSS5.7AI score0.00599EPSS

Exploits1References18

RubySec•added 2026/02/05 12:0 a.m.•9 views

Unauthenticated Spree Commerce users can access all guest addresses

8.7CVSS5.9AI score0.00599EPSS

Exploits1References1Affected Software1

NVD•added 2026/02/01 1:15 p.m.•4 views

CVE-2022-50941

BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unvalidated input parameters to execute arbitrary scripts, potentially leading to session hijacking,...

6.4CVSS0.00301EPSS

Exploits0References3

Cvelist•added 2026/02/01 12:15 p.m.•27 views

CVE-2022-50941 BootCommerce 3.2.1 Persistent Cross-Site Scripting via Order Checkout

6.4CVSS0.00301EPSS

Exploits0References3

ATTACKERKB•added 2026/02/01 12:15 p.m.•5 views

CVE-2022-50941

6.4CVSS6.2AI score0.00301EPSS

Exploits0References3Affected Software1

Rows per page