CVE-2026-2381

The CVE concerns the WooCommerce Stripe Payment Gateway plugin for WordPress, affected in all versions up to 10.7.0. Root cause: missing capability check and missing order ownership/order_key verification in the wc_stripe_pay_for_order WC‑AJAX endpoint, with only a nonce validation. Impact: unaut...

WordPress RepairBuddy plugin <= 4.1116 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Signature Upload to Orders vulnerability discovered by Teerachai Somprasong in WordPress Plugin RepairBuddy versions = 4.1116...

PT-2025-45600

A vulnerability was found in SourceCodester Food Ordering System 1.0. Affected by this vulnerability is an unknown functionality of the file /routers/edit-orders.php. The manipulation of the argument ID results in sql injection. It is possible to launch the attack remotely. The exploit has been...

CVE-2025-52040

In Frappe ERPNext 15.57.5, the function get_blanket_orders() in erpnext/controllers/queries.py is vulnerable to SQL Injection via the blanket_order_type parameter due to unvalidated inputs, enabling an attacker to extract information from databases. The public documents do not provide exploitatio...

Hydrogen Krypton Travel App for Android suffers from an override access vulnerability

Hydrogen Krypton Travel APP is a comprehensive service platform in the field of new energy vehicles. The vulnerability exists in "My Wallet" and "My Orders" in the Android version of Hydrogen Krypton Mobility APP, which allows an attacker to view any user's details by using their cell phone numbe...