CVE-2026-56341

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including...

CVE-2026-32834

Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can...

CVE-2026-39643

Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through = 2.0.13...

CVE-2026-39643 WordPress Payment Plugins for PayPal WooCommerce plugin <= 2.0.13 - Broken Access Control vulnerability

Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through = 2.0.13...

CVE-2026-25002

CVE-2026-25002 affects LearnPress – Sepay Payment (LearnPress plugin) with versions

CVE-2026-28674

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the AdminPaymentPluginUpload endpoint lets admins upload any file to plugins/payment/. It only checks a hardcoded password qweasd123456 and ignores file content. A...

CVE-2026-28674 xiaoheiFS Vulnerable to RCE via Arbitrary Payment Plugin Upload (Automatic Execution)

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the AdminPaymentPluginUpload endpoint lets admins upload any file to plugins/payment/. It only checks a hardcoded password qweasd123456 and ignores file content. A...

CVE-2026-28674 xiaoheiFS Vulnerable to RCE via Arbitrary Payment Plugin Upload (Automatic Execution)

xiaoheiFS is a self-hosted financial and operational system for cloud service businesses. In versions up to and including 0.3.15, the AdminPaymentPluginUpload endpoint lets admins upload any file to plugins/payment/. It only checks a hardcoded password qweasd123456 and ignores file content. A...

CVE-2024-10938

The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper...

WordPress OVRI Payment plugin 1.7.0 - Malicious .htaccess directive vulnerability

Malicious .htaccess directive vulnerability discovered by Marco Wotschka - Wordfence in WordPress Plugin OVRI Payment versions 1.7.0...

PT-2026-8068

The Payment Page | Payment Form for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricing plan select text font family' parameter in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for...

Stripe Payment Plugin for WooCommerce <= 3.7.9 - Unauthenticated SQL Injection

Stripe Payment Plugin for WooCommerce for WordPress versions up to 3.7.9 contains a sqlinjection caused by insufficient escaping and lack of preparation on 'id' parameter, letting unauthenticated attackers execute arbitrary SQL queries, exploit requires sending crafted 'id' parameter. id:...

EUVD-2025-206808

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

CVE-2025-14461 Xendit Payment <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

CVE-2025-14461

The CVE describes unauthenticated order-status manipulation in the Xendit Payment plugin for WordPress (WooCommerce integration). Versions up to and including 6.0.2 expose a publicly accessible API callback endpoint (wc_xendit_callback) that processes payment callbacks without authenticating orig...

WordPress Link Invoice Payment for WooCommerce plugin <= 2.8.0 - Missing Authorization to Unauthenticated Arbitrary Partial Payment Creation/Cancellation vulnerability

Missing Authorization to Unauthenticated Arbitrary Partial Payment Creation/Cancellation vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Invoice Payment for WooCommerce versions = 2.8.0...

CVE-2025-62076 WordPress Simple Payment plugin <= 2.4.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Ido Kobelkowsky Simple Payment simple-payment.This issue affects Simple Payment: from n/a through = 2.4.6...

CVE-2025-62076 WordPress Simple Payment plugin <= 2.4.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Ido Kobelkowsky Simple Payment simple-payment.This issue affects Simple Payment: from n/a through = 2.4.6...

CVE-2025-62075 WordPress Simple Payment plugin <= 2.4.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Ido Kobelkowsky Simple Payment simple-payment.This issue affects Simple Payment: from n/a through = 2.4.6...

CVE-2025-62075 WordPress Simple Payment plugin <= 2.4.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Ido Kobelkowsky Simple Payment simple-payment.This issue affects Simple Payment: from n/a through = 2.4.6...