Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments

Summary PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object order, which contains some sensitive fields such as custome...

CVE-2026-32270

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON...

PT-2026-32511

Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 4.11.0 Craft Commerce versions prior to 5.6.0 Description The actionPay function in the 'PaymentsController' discloses order data to unauthenticated users. This occurs when an order number is provided and the...

CVE-2025-15087

A security vulnerability has been detected in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function submitOrderPayment of the file mall-oms/oms-boot/src/main/java/com/youlai/mall/oms/controller/app/OrderController.java. Such manipulation of the argument orderSn leads to improper...

PT-2025-53414

Name of the Vulnerable Software and Affected Versions youlaitech youlai-mall versions 1.0.0 through 2.0.0 Description A security issue has been identified in youlaitech youlai-mall. Manipulation of the orderSn argument within the submitOrderPayment function, located in the file...

EUVD-2020-29840

Malware in sbrugna...

EUVD-2025-29147

Malicious code in bioql PyPI...

EUVD-2025-29017

Malicious code in bioql PyPI...

EUVD-2023-51785

Malicious code in bioql PyPI...

CVE-2025-10422

A vulnerability has been found in newbee-mall up to 613a662adf1da7623ec34459bc83e3c1b12d8ce7. This issue affects the function paySuccess of the file /paySuccess of the component Order Status Handler. The manipulation of the argument orderNo leads to improper authorization. Remote exploitation of...

CVE-2025-10422

A vulnerability has been found in newbee-mall up to 613a662adf1da7623ec34459bc83e3c1b12d8ce7. This issue affects the function paySuccess of the file /paySuccess of the component Order Status Handler. The manipulation of the argument orderNo leads to improper authorization. Remote exploitation of...

CVE-2025-10422

CVE-2025-10422 affects the newbee-mall Order Status Handler, specifically the paySuccess function in the /paySuccess file. The vulnerability arises from manipulating the orderNo parameter, causing improper authorization. Remote exploitation is possible and the exploit has been publicly disclosed....

CVE-2025-10422 newbee-mall Order Status paySuccess improper authorization

A vulnerability has been found in newbee-mall up to 613a662adf1da7623ec34459bc83e3c1b12d8ce7. This issue affects the function paySuccess of the file /paySuccess of the component Order Status Handler. The manipulation of the argument orderNo leads to improper authorization. Remote exploitation of...

newbee-mall 授权问题漏洞

newbee-mall is a newbee open source e-commerce system . There is an authorization issue vulnerability in newbee-mall, which stems from improper handling of the parameter orderNo of the component Order Status Handler in file/paySuccess, which may lead to improper authorization...

CVE-2025-10287

A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The affected element is an unknown function of the file /auth/orderQuery. Such manipulation of the argument orderNo leads to direct request. The attack may be performed from remote. A high complexi...

CVE-2025-10287

A vulnerability has been found in roncoo roncoo-pay up to 9428382af21cd5568319eae7429b7e1d0332ff40. The affected element is an unknown function of the file /auth/orderQuery. Such manipulation of the argument orderNo leads to direct request. The attack may be performed from remote. A high complexi...

PT-2025-37285

Name of the Vulnerable Software and Affected Versions: roncoo-pay versions prior to 9428382af21cd5568319eae7429b7e1d0332ff40 Description: A vulnerability exists in roncoo-pay that allows for direct request manipulation. The issue is related to the /auth/orderQuery file and an unknown function...

CVE-2024-1492

The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybesendtopacketa function in all versions up to, and including, 4.0.8. This makes it possible for unauthenticated attackers to obtain shipping details for orders as lon...

Design/Logic Flaw

The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybesendtopacketa function in all versions up to, and including, 4.0.8. This makes it possible for unauthenticated attackers to obtain shipping details for orders as lon...

CVE-2023-47687

Cross-Site Request Forgery CSRF vulnerability in VJInfotech Woo Custom and Sequential Order Number plugin = 2.6.0 versions...