CVE-2025-12621 Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update

The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'createrefund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, wit...

CVE-2025-10570 Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund

The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the saverefundrequest function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit...

CVE-2024-46532

SQL Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component...

CVE-2024-46532

SQL Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component...

CVE-2024-46532

SQL Injection vulnerability in OpenHIS v.1.0 allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component...

OpenHIS 安全漏洞

OpenHIS is a web-based hospital management application from China Xinzhi OpenHIS. A SQL injection vulnerability exists in OpenHIS v.1.0, which stems from a lack of validation of externally-entered SQL statements in the refund function of the PayController.class.php component. An attacker can...

PT-2024-32024 · Openhis · Openhis

Name of the Vulnerable Software and Affected Versions: OpenHIS version 1.0 Description: A SQL Injection issue allows an attacker to execute arbitrary code via the refund function in the PayController.class.php component. Users are urged to update to the latest release to mitigate risks...

CVE-2024-7386

The Premium Packages – Sell Digital Products Securely plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.1. This is due to missing nonce validation on the addRefund function. This makes it possible for unauthenticated attackers to perform...

Fund Drainage Due to Reentrancy Vulnerability in Crowdfunding

Lines of code Vulnerability details Impact in the refund function, there is a problem, this function is reads the isAuthority state variable from the PartyGovernanceNFT contract after making an external call to the burn function of the same contract. The burn function in the PartyGovernanceNFT...

Gas Pricing Can Be Used To Extort Funds From Users of SChain Owner

Lines of code Vulnerability details Impact The function refundGasByUser can be exploited by the message sender to drain nodes and SChain owners of their balances when processing incoming messages. When a node collates a set of exits from an SChain to Ethereum, they are submitted on-chain via...