EUVD-2026-27520

The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mppiximage' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve...

CVE-2026-4109

The CVE concerns the WordPress plugin Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) for WordPress. Affected: all versions up to and including 4.1.8. Vulnerability: improper capability check in get_item_permissions_check() allows authenticated attackers with Subscrib...

WordPress Eventin - Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin <= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure vulnerability

Events Calendar, Event Booking, Ticket & Registration AI Powered plugin = 4.1.8 Missing Authorization to Authenticated Subscriber+ Order Information Exposure vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin WP Event SOlution versions = 4.1.8...

CVE-2026-4563 MacCMS Member Order Detail User.php order_info authorization

A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function orderinfo of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the argument orderid causes authorization bypass. It is possible ...

Unauthorized Data Access

Shopware is vulnerable to unauthorized data access. The vulnerability is due to an insufficient check on filter types for unauthenticated customers, where the deepLinkCode support on the store-api.order endpoint fails to enforce proper authorization and attackers can retrieve other customers' ord...

CVE-2025-12075 Order Splitter for WooCommerce <= 5.3.5 - Missing Authorization to Authenticated (Subscriber+) Order Information Exposure

The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wostroubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2025-12075

CVE-2025-12075 affects the WordPress plugin Order Splitter for WooCommerce. The vulnerability is due to a missing capability check on the wos_troubleshooting AJAX endpoint, allowing authenticated users with Subscriber-level access and above to view other users’ order information. Affected version...

CVE-2026-24136 Saleor has an Insecure Direct Object Reference (IDOR) in GraphQL API

Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference IDOR vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor...

CVE-2026-0656

The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'checkipaymuresponse' function. This is due to the plugin not validating webhook request authenticity through signature verification or origi...

CVE-2026-0656 iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure

The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'checkipaymuresponse' function. This is due to the plugin not validating webhook request authenticity through signature verification or origi...

CVE-2026-0656

The CVE-2026-0656 entry concerns the iPaymu Payment Gateway for WooCommerce (WordPress). Wordfence reports a Missing Authentication flaw in webhook handling (function check_ipaymu_response) across versions up to 2.0.2, due to lack of signature verification and origin checks. This allows unauthent...

CVE-2026-0656 iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure

The iPaymu Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authentication in all versions up to, and including, 2.0.2 via the 'checkipaymuresponse' function. This is due to the plugin not validating webhook request authenticity through signature verification or origi...

CVE-2025-13526 OneClick Chat to Order <= 1.0.8 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure

The OneClick Chat to Order plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.0.8 via the 'waorderthankyouoverride' function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view...

CVE-2025-12955 Live sales notification for WooCommerce <= 2.3.39 - Missing Authorization to Unauthenticated Customer Data Exposure

The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order...

GHSA-C73G-MX2W-CC93 EverShop is vulnerable to Unauthorized Order Information Access (IDOR)

A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The attack may be...

EUVD-2016-3296

Malware in sbrugna...

EUVD-2017-6153

Malware in sbrugna...

CVE-2023-5254

The ChatBot plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.8.9 via the qcldwbchatbotcheckuser function. This can allow unauthenticated attackers to extract sensitive data including confirmation as to whether a user name exists on the site ...

CVE-2024-6506

Information exposure vulnerability in the MRW plugin, in its 5.4.3 version, affecting the "mrwlog" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also...

CVE-2024-6506 Information exposure vulnerability in the MRW plug-in

Information exposure vulnerability in the MRW plugin, in its 5.4.3 version, affecting the "mrwlog" functionality. This vulnerability could allow a remote attacker to obtain other customers' order information and access sensitive information such as name and phone number. This vulnerability also...