CVE-2026-2381

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxpayfororder function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or orderkey verification when...

CVE-2026-47696

WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess =...

PT-2026-46892

Summary The Shopware Store API endpoint /store-api/handle-payment contains an object-level authorization flaw that allows a low-privileged external user with a normal customer or guest context to trigger the payment flow for another user’s order by supplying a foreign orderId. The affected...

PT-2026-40615

Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. Attackers can extract payment form data and signatures from POST requests to the payment endpoint,...

goodoneuz/pay-uz: the /payment/api/editable/update endpoint overwrites existing PHP payment hook files

The goodoneuz/pay-uz Laravel package = 2.2.24 contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment hook files. The endpoint is exposed via Route::any without authentication middleware, enabling remot...

CVE-2026-31843

This CVE affects the Laravel package goodoneuz/pay-uz (version

PT-2026-33312

Name of the Vulnerable Software and Affected Versions pay-uz versions prior to 2.2.25 Description The pay-uz Laravel package contains a flaw in the '/payment/api/editable/update' endpoint. This endpoint is exposed via Route::any without authentication middleware, allowing unauthenticated remote...

CVE-2025-13273

Campcodes School Fees Payment Management System 1.0 is affected by CVE-2025-13273 due to a SQL injection in the /ajax.php?action=delete_payment endpoint caused by unsafely manipulated ID parameters. Remote exploitation is possible, and an exploit has been publicly released. The issue is corrobora...

CVE-2025-13269

A vulnerability has been found in Campcodes School Fees Payment Management System 1.0. The impacted element is an unknown function of the file /ajax.php?action=savepayment. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been...

CVE-2025-13269

The CVE-2025-13269 entry affects Campcodes School Fees Payment Management System 1.0. A SQL injection vulnerability exists in the /ajax.php?action=save_payment handler, triggered by manipulating the ID parameter. Reports across CNVD, Red Hat advisory, CNNVD, CIRCL, and others confirm a remote-att...

EUVD-2025-25865

Malicious code in bioql PyPI...

CVE-2025-10109 Campcodes Online Loan Management System ajax.php sql injection

A vulnerability was determined in Campcodes Online Loan Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=deletepayment. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been...

CVE-2025-9502

A weakness has been identified in Campcodes Online Loan Management System 1.0. This impacts an unknown function of the file /ajax.php?action=savepayment. Executing manipulation of the argument loanid can lead to sql injection. The attack may be launched remotely. The exploit has been made availab...

CVE-2025-9502

CVE-2025-9502 affects Campcodes Online Loan Management System v1.0. The vulnerability is an SQL injection in the function/file /ajax.php?action=save_payment (and variations like /ajax.php?action=save payment) caused by manipulation of the loan_id parameter. Attacks can be launched remotely and, p...

CVE-2022-41515

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /saccoshield/ajax.php?action=deletepayment...

CVE-2025-0744

an Improper Access Control vulnerability has been found in EmbedAI 2.1 and below. This vulnerability allows an authenticated attacker change his subscription plan without paying by making a POST request changing the parameters of the "/demos/embedai/pmtcashondelivery/pay" endpoint...

PT-2023-25706 · Sealos · Sealos

Name of the Vulnerable Software and Affected Versions: Sealos versions 4.2.0 and prior Description: Sealos, a Cloud Operating System for managing cloud-native applications, has a permission flaw in its billing system. This flaw allows users to control the recharge resource account via the...

PT-2022-26283 · Unknown · Open Source Sacco Management System

Name of the Vulnerable Software and Affected Versions: Open Source SACCO Management System version 1.0 Description: The issue concerns SQL Injection, which can be exploited via the "/sacco shield/manage payment.php" API endpoint. Recommendations: For Open Source SACCO Management System version 1....

CVE-2022-41515

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /saccoshield/ajax.php?action=deletepayment...

CVE-2022-41515

Open Source SACCO Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /saccoshield/ajax.php?action=deletepayment...