CVE-2026-9284

CVE-2026-9284 affects the WooCommerce PayPal Payments plugin for WordPress (all versions up to and including 4.0.1). The vulnerability stems from missing authorization checks on the WC‑AJAX endpoints ppc-create-order and ppc-get-order , allowing unauthorized manipulation of PayPal orders and expo...

CVE-2026-9284

The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints in all versions up to, and including, 4.0.1. The ppc-create-order endpoi...

WordPress plugin WooCommerce PayPal Payments 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

EUVD-2026-30949

API endpoints in LalanaChami Pharmacy Management System commit 5c3d028 lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records including bcrypt password hashes via /api/user/getUserData, modify drug inventory, and access private medical...

EUVD-2026-26032

A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. The impacted element is the function saveorder of the file /admin/ajax.php?action=saveorder. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit is now public an...

CVE-2026-31887

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

CVE-2026-31887 Shopware unauthenticated data extraction possible through store-api.order endpoint

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

PT-2026-24793

Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, an insufficient check on the filter types for unauthenticated customers allows access to orders of other customers. This is part of the deepLinkCode support on the store-api.order endpoint. This vulnerability is fixed in 6.7.8...

EUVD-2026-9261

code-projects Simple Food Order System v1.0 is vulnerable to SQL Injection in /food/routers/cancel-order.php...

CVE-2025-51626

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancelorder.php endpoint...

CVE-2025-14886

The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the order REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order a...

CVE-2025-51626

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancelorder.php endpoint...

CVE-2025-14886

CVE-2025-14886 concerns Japanized for WooCommerce for WordPress. It is a data modification vulnerability due to missing capability check on the order REST API endpoint, affecting all versions up to and including 2.7.17. Unauthenticated attackers could mark any WooCommerce order as processed/compl...

CVE-2025-14886 Japanized for WooCommerce <= 2.7.17 - Missing Authorization to Unauthenticated Order Status Modification

The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the order REST API endpoint in all versions up to, and including, 2.7.17. This makes it possible for unauthenticated attackers to mark any WooCommerce order a...

PT-2026-1756

Name of the Vulnerable Software and Affected Versions Japanized for WooCommerce versions up to and including 2.7.17 Description The Japanized for WooCommerce plugin for WordPress is susceptible to unauthorized data modification. A missing capability check on the order REST API endpoint allows...

CVE-2025-51626

CVE-2025-51626 affects pss.sale.com 1.0. The issue is a SQL injection in the endpoint /userfiles/php/cancel_order.php via the id parameter, caused by improper handling of input. Impact stated: potential SQL code injection. Mitigation: Red Hat/ENISA/etc. documents indicate applying a fix for versi...

EUVD-2026-1681

SQL injection vulnerability in pss.sale.com 1.0 via the id parameter to the userfiles/php/cancelorder.php endpoint...

pss.sale.com 安全漏洞

pss.sale.com is a merchandising system by the individual developer XiaoLiuChu in China. A security vulnerability exists in version 1.0 of pss.sale.com, which stems from an incorrect manipulation of the parameter id in the endpoint userfiles/php/cancelorder.php, which could lead to a SQL injection...

PT-2026-1812

Name of the Vulnerable Software and Affected Versions pss.sale.com version 1.0 Description A SQL injection issue exists in pss.sale.com version 1.0. The issue is located in the userfiles/php/cancel order.php endpoint, specifically through the id parameter. Exploitation of this issue could allow a...

CVE-2025-14156

The Fox LMS – WordPress LMS Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.5.1. This is due to the plugin not properly validating the 'role' parameter when creating new users via the /fox-lms/v1/payments/create-order REST API endpoint...