CVE-2026-9719

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the changestatus function. This makes it possible for...

Kimai leaks API Token Hash via Invoice Twig Template

Summary The Twig sandbox used for invoice templates blocks certain sensitive User methods password, TOTP secret, etc. via a blocklist in StrictPolicy::checkMethodAllowed. However, getApiToken and getPlainApiToken are not on the blocklist. An admin who creates an invoice template can embed calls t...

EUVD-2016-1997

Malware in sbrugna...

CVE-2023-3764

The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.90. This is due to missing or incorrect nonce validation on the Save function. This makes it possible for unauthenticated attackers to make changes to invoice...

Cloudflare: Cloudflare does not sufficiently truncate credit card numbers in invoices

When a Cloudflare user has a paid account, but Cloudflare can't process the user's credit card, Cloudflare emails the user from [email protected], subject line "Cloudflare Failed Taking Payment for INV-D1234567". The email contains an attachment, "2017-11-19CloudflareINV-D1234567.pdf", a PDF...

Shopify: Paid account can review\download any invoice of any other shop

Hi Shopify Team I would like to report serious security issue within admin panel of Paid Myshopify account Paid Customer after been detached from Development account and valid payment detailes entered able to review any other invoice, issues to any other client, and download it. In web variant of...