Lucene search
K

14 matches found

CVE
CVE
added 7 hours ago6 views

CVE-2026-14500

The CVE-2026-14500 entry concerns the Bulk Order Update for WooCommerce plugin for WordPress (

5.3CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added 7 hours ago5 views

EUVD-2026-42175

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouwfetchcsvdata AJAX handler being registered on the wpajaxnopriv hook with no capability or nonce check, and passing the attacker-supplied...

5.3CVSS6.1AI score
Exploits0References4
OSV
OSV
added 2026/06/04 7:33 p.m.9 views

GHSA-F8Q6-3G5W-JJR6 Shopware: Admin API ACL Bypass in Order State Transition Endpoints

Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...

6.5CVSS5.9AI score0.00041EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/02/04 8:25 a.m.28 views

CVE-2025-14461 Xendit Payment <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

5.3CVSS0.00345EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-16417

Malicious code in bioql PyPI...

5.3CVSS6.5AI score0.00951EPSS
Exploits0References3
OSV
OSV
added 2025/05/28 12:15 p.m.3 views

CVE-2025-5299

A vulnerability was found in SourceCodester Client Database Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /userordercustomerupdate.php. The manipulation of the argument uploadedfilecancelled leads to unrestricted upload. The attack ca...

6.9CVSS5.6AI score0.00513EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2025/05/23 12:0 a.m.14 views

CVE-2022-4385

The Intuitive Custom Post Order WordPress plugin before 3.1.4 does not check for authorization in the update-menu-order ajax action, allowing any logged in user with roles as low as Subscriber to update the menu order...

4.3CVSS6.7AI score0.00486EPSS
Exploits2References1
Positive Technologies
Positive Technologies
added 2024/01/24 12:0 a.m.6 views

PT-2024-15700 · WordPress · Paid Memberships Pro

Name of the Vulnerable Software and Affected Versions: Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress versions up to, and including, 2.12.7 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce...

5.3CVSS6AI score0.00951EPSS
Exploits0References10
CNNVD
CNNVD
added 2023/06/14 12:0 a.m.3 views

WordPress Plugin MStore API 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forgery...

4.3CVSS6.1AI score0.00316EPSS
Exploits0References3
WPVulnDB
WPVulnDB
added 2023/04/19 12:0 a.m.18 views

WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update

The plugin does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example PoC Run the...

6.5CVSS9AI score0.00337EPSS
Exploits2Affected Software1
wpexploit
wpexploit
added 2023/04/19 12:0 a.m.148 views

WooCommerce Order Status Change Notifier <= 1.1.0 - Subscriber+ Arbitrary Order Status Update

The plugin does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example Run the bel...

6.5CVSS9.3AI score0.00337EPSS
Exploits2
wpexploit
wpexploit
added 2023/01/24 12:0 a.m.409 views

Intuitive Custom Post Order < 3.1.4 - Arbitrary Menu Order Update via CSRF

The plugin lacks CSRF protection in its update-menu-order ajax action, allowing an attacker to trick any user to change the menu order via a CSRF attack...

4.3CVSS5.1AI score0.00267EPSS
Exploits2
OSV
OSV
added 2022/07/14 4:9 p.m.6 views

CLSA-2022-1657814965 Fix CVE(s): CVE-2022-1473, CVE-2022-1292, CVE-2022-2068

SECURITY REGRESSION: Invalid fix for CVE-2022-1473 - debian/patches/CVE-2022-1473.patch: removing unnecessary patch since this version is actually not affected SECURITY UPDATE: crehash script allows command injection - debian/patches/CVE-2022-1292.patch: switch to upstream patch, and apply it...

10CVSS6.8AI score0.95764EPSS
Exploits6References1
CNVD
CNVD
added 2017/09/13 12:0 a.m.5 views

AlegroCart SQL Injection Vulnerability

AlegroCart is an open source online business solution from the Canadian ALEGROCART team. A SQL injection vulnerability exists in AlegroCart version 1.2.8. Remote attackers can use a variety of methods to exploit the vulnerability to execute arbitrary SQL commands. The methods include:...

7.2CVSS7.6AI score0.01981EPSS
Exploits1References1
Rows per page
Query Builder