43 matches found
CVE-2026-10628
The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...
EUVD-2026-43123
The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...
CVE-2026-10628
The CVE concerns the WordPress plugin Points and Rewards for WooCommerce (affected: all versions up to 2.10.0). It describes an authorization bypass in which authenticated users with subscriber-level access and above can perform arbitrary modifications via multiple AJAX actions. Core implications...
Best Klaviyo Alternatives for Revenue Growth and Advanced Analytics
Top Klaviyo alternatives offer advanced analytics, automation, and insights to help e-commerce brands improve campaigns, boost revenue, and track performance...
CVE-2023-25456
Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Klaviyo, Inc. Klaviyo plugin = 3.0.7 versions...
EUVD-2023-12865
Malicious code in bioql PyPI...
EUVD-2023-29411
Malicious code in bioql PyPI...
CVE-2023-0874
The Klaviyo WordPress plugin before 3.0.10 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...
Malicious code in careers.klaviyo.com (npm)
--- -= Per source details. Do not edit below this line.=-...
MAL-2025-3382 Malicious code in careers.klaviyo.com (npm)
--- -= Per source details. Do not edit below this line.=-...
Unauthorized Data Access
Klaviyo Magento 2 is vulnerable to Unauthorized Data Access. The vulnerability is due to insufficient access controls in an endpoint, allowing attackers to read private customer data from stores by reclaiming guest-carts and accessing order details via the Magento API...
Read private customer data reclaiming carts in Klaviyo Magento
A researcher identified an endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento API...
PT-2024-40329 · Klaviyo · Klaviyo Magento 2
Name of the Vulnerable Software and Affected Versions: Klaviyo Magento 2 affected versions not specified Description: A researcher discovered an issue in a third-party module that allows reading private customer data from stores. This is achieved by reclaiming any guest-cart as one's own and then...
CVE-2024-25928 WordPress Sitepact's Contact Form 7 Extension For Klaviyo Plugin <= 1.0.5 is vulnerable to SQL Injection
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Sitepact.This issue affects Sitepact: from n/a through 1.0.5...
CVE-2024-25928 WordPress Sitepact's Contact Form 7 Extension For Klaviyo Plugin <= 1.0.5 is vulnerable to SQL Injection
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Sitepact.This issue affects Sitepact: from n/a through 1.0.5...
Sitepact's Contact Form 7 Extension For Klaviyo <= 1.0.5 - Unauthenticated SQL Injection
Description The Sitepact's Contact Form 7 Extension For Klaviyo plugin for WordPress is vulnerable to SQL Injection parameter in versions up to, and including, 1.0.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This make...
WordPress Sitepact's Contact Form 7 Extension For Klaviyo Plugin <= 1.0.5 is vulnerable to SQL Injection
Software Sitepact's Contact Form 7 Extension For Klaviyo Type Plugin Vulnerable versions = 1.0.5 Fixed in 3.0.0 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2024-25928 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID b1255b55a5c6 Credits Dimas Maula...
WordPress Forms to Klaviyo Plugin <= 5.2.2 is vulnerable to Cross Site Scripting (XSS)
Software Forms to Klaviyo Type Plugin Vulnerable versions = 5.2.2 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-33999 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 48b75fce56c6 Credits Rafie Muhammad Patchstack Require...
WordPress Klaviyo Plugin <= 3.0.10 is vulnerable to Cross Site Scripting (XSS)
Software Klaviyo Type Plugin Vulnerable versions = 3.0.10 Fixed in 3.0.11 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-0874 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 9cbb77409b1f Credits Rafshanzani Suhada Required...
CVE-2023-0874
The Klaviyo WordPress plugin before 3.0.10 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...