WordPress Buy one click WooCommerce plugin <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Order Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Order Deletion vulnerability discovered by incognito in WordPress Plugin Buy one click WooCommerce versions = 2.2.9...

EUVD-2024-33332

Malicious code in bioql PyPI...

CVE-2024-10853

The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the removeorder AJAX action in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with Subscriber-level access and...

PT-2024-16592 · WordPress · Buy One Click Woocommerce Plugin

Name of the Vulnerable Software and Affected Versions: Buy one click WooCommerce plugin for WordPress versions up to, and including, 2.2.9 Description: The issue is related to a missing capability check on the removeorder AJAX action, allowing authenticated attackers with Subscriber-level access...

WooPayments < 6.7.0 - Unauthenticated Order Deletion via IDOR

Description The plugin does not validate orders ownership which could allow unauthenticated attacker to delete orders by knowing the order ID and cart hash i.e. they would have to create a cart that matches the items in the order they are trying to delete. Furthermore, only stores running on lega...

WooCommerce Stripe Payment Gateway < 7.6.2 - Unauthenticated Order Deletion via IDOR

Description The plugin doe snot properly check for ownership of completed/pending orders, allowing unauthenticated users to put such order in the trash and delete them...

Extreme CMS has a flawed logic vulnerability

Extreme CMS is a PHP language to write a website building CMS, open source free of charge , free of commercial license . Extreme CMS has a logic flaw vulnerability , attackers can exploit the vulnerability to arbitrarily delete user orders...

SQL Injection Vulnerability in Tpshop Pr***.php Page at Active Order Deletion

Tpshop is a set of multi-merchant mode developed by Shenzhen Soleil Networks Limited mall system. A SQL injection vulnerability exists in the deletion of active orders on the Tpshop Pr.php page. Attackers can use the vulnerability to obtain sensitive information in the database...

CVE-2009-4120

CVE-2009-4120 concerns CSRF flaws in Quick.Cart 3.4, enabling an attacker to hijack an administrator’s session and perform privileged actions such as (1) deleting orders via an orders-delete action to admin.php, and possibly (2) deleting products or (3) deleting pages through unspecified vectors....