CVE-2026-3594 Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint

The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permissioncallback' set to 'returntrue', meaning no...

CVE-2026-3594

The Riaxe Product Customizer plugin for WordPress (

CVE-2026-3594 Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint

The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permissioncallback' set to 'returntrue', meaning no...

WordPress Riaxe Product Customizer plugin <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint vulnerability

Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint vulnerability discovered by Kai Aizen in WordPress Plugin Riaxe Product Customizer versions = 2.4...

CVE-2025-14085

A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploitation of the attack is possible. The exploi...

CVE-2025-14085 youlaitech youlai-mall orders improper control of dynamically-identified variables

A vulnerability has been found in youlaitech youlai-mall 1.0.0/2.0.0. This impacts an unknown function of the file /app-api/v1/orders/. The manipulation of the argument orderId leads to improper control of dynamically-identified variables. Remote exploitation of the attack is possible. The exploi...

PT-2025-49243

Name of the Vulnerable Software and Affected Versions youlaitech youlai-mall versions 1.0.0 through 2.0.0 Description A flaw exists in youlaitech youlai-mall that involves improper control of dynamically-identified variables. The issue is located within an unknown function of the...

CVE-2025-11457

The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles durin...

EUVD-2025-60948

The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.5.0. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles durin...

CVE-2025-11457

The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles durin...

CVE-2025-11457

CVE-2025-11457 pertains to the WordPress plugin EasyCommerce – AI-Powered Ecommerce. The issue is an unauthenticated privilege-escalation flaw caused by insufficient restrictions on role selection via the /easycommerce/v1/orders API endpoint during user registration. Exploitation could allow an u...

CVE-2025-11457 EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin 0.9.0-beta2 - 1.8.2 - Unauthenticated Privilege Escalation

The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles durin...

WordPress plugin EasyCommerce 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

PT-2025-46247

Name of the Vulnerable Software and Affected Versions EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin versions 0.9.0-beta2 through 1.5.0 Description The EasyCommerce plugin for WordPress has a flaw where the /easycommerce/v1/orders API endpoint does not adequately limit use...

CVE-2025-63449

Water Management System v1.0 is vulnerable to Cross Site Scripting XSS in /orders.php...

PT-2025-44776

Name of the Vulnerable Software and Affected Versions Water Management System version 1.0 Description Water Management System version 1.0 is susceptible to Cross Site Scripting XSS within the /orders.php endpoint. The issue allows for the injection of malicious scripts through this endpoint...

PT-2024-25589 · Unknown · E-Negosyo System

Name of the Vulnerable Software and Affected Versions: E-Negosyo System version 1.0 Description: The issue allows an attacker to exploit a SQL injection vulnerability by sending a specially crafted query to the server. This could enable the retrieval of all information stored in the id variable i...

PT-2024-25609 · Unknown · E-Negosyo System

Name of the Vulnerable Software and Affected Versions: E-Negosyo System version 1.0 Description: The issue is related to a Cross-Site Scripting XSS vulnerability. An attacker could create a specially crafted URL and send it to a victim to obtain their session cookie details via the view parameter...

PT-2022-26697 · Unknown · Food Ordering Management System

Name of the Vulnerable Software and Affected Versions: Food Ordering Management System version 1.0 Description: The issue is related to a SQL injection vulnerability. It can be exploited via the component /foms/all-orders.php?status=Cancelled%20by%20Customer. This vulnerability allows for potenti...

Unauthorized API Access

solidus is vulnerable to unauthorized API access attacks. The vulnerability exists as API keys were not validated for critical endpoints such as the Api::Orderscreate endpoint...