CVE-2025-30999 WordPress External Store for Shopify plugin <= 1.5.9 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Fahad Mahmood External Store for Shopify wp-shopify allows PHP Local File Inclusion.This issue affects External Store for Shopify: from n/a through = 1.5.9...

Shopify: Staff with Restricted Permissions Could Access Customer Data After Company Removal

The report describes a vulnerability in Shopify's admin interface where staff members with restricted company permissions could access and update customer information even after the customer had been removed from a specific company. The issue arose when a customer, initially associated with a...

Shopify: Reflected XSS In Marketing Reports Page On *.myshopify.com/admin

The returnpagepathname parameter on the marketing reports page of a Shopify store was vulnerable to reflected cross-site scripting XSS when using the javascript: protocol. The vulnerability was assessed as having high attack complexity, as specific conditions were required for the XSS to execute...

Shopify: DoS Vulnerability via Cache Poisoning on cdn.shopify.com and shopify-assets.shopifycdn.com

There was a web cache poisoning vulnerability on Shopify's CDN domains that allowed an attacker to block access to any file hosted on the website. The vulnerability existed because the cache server treated backslashes and forward slashes as equivalent, while the origin server returned 404 errors...