CVE-2026-3360 Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the payincompleteorder function. The function accepts an...

E-Commerce Website edit_order_details.php File SQL Injection Vulnerability

E-Commerce Website is an e-commerce website. E-Commerce Website suffers from a SQL injection vulnerability that originates from the lack of validation of an externally-entered SQL statement in the parameter orderid in file /pages/editorderdetails.php. An attacker can exploit this vulnerability to...

Code-Projects E-Commerce Website SQL注入漏洞

E-Commerce Website is an e-commerce website. E-Commerce Website suffers from a SQL injection vulnerability that originates from the lack of validation of an externally-entered SQL statement in the parameter orderid in the file /pages/deleteorderdetails.php. An attacker can exploit this...

code-projects E-Commerce Website SQL注入漏洞

E-Commerce Website is an e-commerce website. E-Commerce Website suffers from a SQL injection vulnerability that originates from the lack of validation of an externally-entered SQL statement in the parameter orderid in file /pages/editorderdetails.php. An attacker can exploit this vulnerability to...

EUVD-2021-11315

Malware in sbrugna...

mall 安全漏洞

mall is an e-commerce system for macro individual developers, including the front-end mall system and back-end management system. A security vulnerability exists in mall 1.0.3 and earlier versions, which stems from an authorization bypass due to incorrect operation of the parameter orderId in the...

CVE-2025-5002

A vulnerability, which was classified as critical, was found in SourceCodester Client Database Management System 1.0. This affects an unknown part of the file /userproposalupdateorder.php. The manipulation of the argument orderid leads to sql injection. It is possible to initiate the attack...

PT-2025-20582

Name of the Vulnerable Software and Affected Versions SourceCodester Client Database Management System version 1.0 Description The software is susceptible to a SQL Injection issue within the user payment update.php file. The issue occurs through the order id POST parameter. The vulnerability allo...

PT-2024-17343 · WordPress · The Travel Booking Wordpress Theme

Name of the Vulnerable Software and Affected Versions: The Travel Booking WordPress Theme versions up to, and including, 3.1.6 Description: The issue is a blind time-based SQL Injection vulnerability. It affects the order id parameter due to insufficient escaping on the user-supplied parameter an...

Simple Inventory Management System SQL注入漏洞

Simple Inventory Management System is a simple inventory management system. A SQL injection vulnerability exists in Simple Inventory Management System version 1.0 due to a lack of validation of the parameter orderid against externally entered SQL statements. An attacker can exploit this...

CVE-2024-25248

SQL Injection vulnerability in the orderGoodsDelivery function in Niushop B2B2C V5 allows attackers to run arbitrary SQL commands via the orderid parameter...

VulnCheck KEV: CVE-2021-24285

The requestlistrequest AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitise, validate or escape the orderid POST parameter before using it in a SQL statement, leading to a SQL...

CVE-2022-43212

Billing System Project v1.0 was discovered to contain a SQL injection vulnerability via the orderId parameter at fetchOrderData.php...

WordPress SQL注入漏洞

WordPress is a set of blogging platforms developed using the PHP language by the WordPress Wordpress Foundation. The platform supports setting up personal blog sites on PHP and MySQL servers. A SQL injection vulnerability exists in WordPress Page Contact plugin 1.0 and earlier versions, which ste...

Welcart e-Commerce < 2.2.4 - Cross-Site Scripting (XSS)

The plugin did not sanitise or validate the orderid parameter before outputting in the page of the admin dashboard, leading to a reflected Cross-Site Scripting issue PoC http://wp.lab/wordpress/wp-admin/admin.php?page=uscesorderlistaction=editid=1"...

PT-2020-17101 · WordPress · Woocommerce

Name of the Vulnerable Software and Affected Versions: WooCommerce plugin versions prior to 4.7.0 Description: The issue allows remote attackers to view the status of arbitrary orders via the order id parameter in a fetch order status action. This could potentially expose sensitive information...

SQL Injection Vulnerability in Hanchao B2B2C Multi-User Mall System

Hanchao B2B2C multi-user mall system is a PHP multi-user mall website system source code developed in PHP + MySQL. Hanchao B2B2C Multi-User Mall System v2.1.3 version of the Orderid parameter, delorder method SQL injection vulnerability exists due to the system fails to effectively filter the...

Vulnerability in orderid parameter of China Telecom's handheld business hall app mall order page.

China Telecom Pocket Business Office is a cell phone terminal-based application software that provides users with recharge and payment, cost inquiries and other services. There is a vulnerability in the orderid parameter of the order page of the China Telecom Palm Business Hall app, which allows ...