14 matches found
CVE-2026-14500
The CVE-2026-14500 entry concerns the Bulk Order Update for WooCommerce plugin for WordPress (
EUVD-2026-42175
The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouwfetchcsvdata AJAX handler being registered on the wpajaxnopriv hook with no capability or nonce check, and passing the attacker-supplied...
GHSA-F8Q6-3G5W-JJR6 Shopware: Admin API ACL Bypass in Order State Transition Endpoints
Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...
CVE-2025-14461 Xendit Payment <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid
The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...
EUVD-2024-16417
Malicious code in bioql PyPI...
CVE-2025-5299
A vulnerability was found in SourceCodester Client Database Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /userordercustomerupdate.php. The manipulation of the argument uploadedfilecancelled leads to unrestricted upload. The attack ca...
CVE-2022-4385
The Intuitive Custom Post Order WordPress plugin before 3.1.4 does not check for authorization in the update-menu-order ajax action, allowing any logged in user with roles as low as Subscriber to update the menu order...
PT-2024-15700 · WordPress · Paid Memberships Pro
Name of the Vulnerable Software and Affected Versions: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress versions up to, and including, 2.12.7 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce...
WordPress Plugin MStore API 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forgery...
WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update
The plugin does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example PoC Run the...
WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update
The plugin does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example Run the bel...
Intuitive Custom Post Order < 3.1.4 - Arbitrary Menu Order Update via CSRF
The plugin lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack...
CLSA-2022-1657814965 Fix CVE(s): CVE-2022-1473, CVE-2022-1292, CVE-2022-2068
SECURITY REGRESSION: Invalid fix for CVE-2022-1473 - debian/patches/CVE-2022-1473.patch: removing unnecessary patch since this version is actually not affected SECURITY UPDATE: crehash script allows command injection - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and apply it...
AlegroCart SQL Injection Vulnerability
AlegroCart is an open source online business solution from the Canadian ALEGROCART team. A SQL injection vulnerability exists in AlegroCart version 1.2.8. Remote attackers can use a variety of methods to exploit the vulnerability to execute arbitrary SQL commands. The methods include:...