CVE-2026-3208

The CVE 2026-3208 entry concerns the Mercado Pago payments for WooCommerce plugin for WordPress. A missing capability check on the mp_pix_image endpoint allows unauthenticated access to PIX payment QR code images for arbitrary orders in all versions up to 8.7.11. The PIX QR codes expose sensitive...

Shopware 安全漏洞

Shopware is a set of open-source e-commerce software developed by the German company Shopware GmbH. Versions prior to Shopware 6.7.8.1 and 6.6.10.15 contained security vulnerabilities. These vulnerabilities stemmed from insufficient checks on the filter types of unverified customers, which could...

GHSA-P6PV-Q7RC-G4H9 Unauthenticated Spree Commerce users can view completed guest orders by Order ID

Unauthenticated users can view completed guest orders by Order ID GHSL-2026-029 The OrdersControllershow action permits viewing completed guest orders by order number alone, without requiring the associated order token. Order lookup without enforcing token requirement in OrdersControllershow: rub...

PT-2025-52678

Name of the Vulnerable Software and Affected Versions WooCommerce versions 8.1 through 10.4.2 Description A flaw exists in WooCommerce that could allow authenticated customers to view order information belonging to guest customers, specifically on sites with a particular setup. Recommendations...

CVE-2025-13526

The CVE concerns the WordPress plugin OneClick Chat to Order . All versions up to and including 1.0.8 are vulnerable to an Insecure Direct Object Reference via the function wa_order_thank_you_override due to missing validation on a user-controlled key. This allows unauthenticated attackers to vie...

EUVD-2023-57470

Malicious code in bioql PyPI...

CVE-2021-32720

Sylius is an Open Source eCommerce platform on top of Symfony. In versions of Sylius prior to 1.9.5 and 1.10.0-RC.1, part of the details order ID, order number, items total, and token value of all placed orders were exposed to unauthorized users. If exploited properly, a few additional informatio...