EUVD-2026-30371

Live Helper Chat is an open-source application that enables live support websites. In 4.84v, the Live Helper Chat REST API chat update endpoint allows a REST user with lhchat/use to update a chat in a department they cannot read. The endpoint accepts arbitrary chat object fields, so the user can...

WordPress Nexi XPay plugin <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification vulnerability

Missing Authorization to Unauthenticated Order Status Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Nexi XPay versions = 8.3.0...

CVE-2025-15565 Nexi XPay <= 8.3.0 - Missing Authorization to Unauthenticated Order Status Modification

The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed...

CVE-2026-3571 Pie Register – User Registration, Profiles & Content Restriction <= 3.8.4.8 - Missing Authorization to Unauthenticated Registration Form Status Modification

The Pie Register – User Registration, Profiles & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the piemain function in all versions up to, and including, 3.8.4.8. This makes it possible for unauthenticated attacker...

WordPress Appointment Booking Calendar Plugin plugin <= 1.0.2 - Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification vulnerability

Missing Authorization to Unauthenticated Arbitrary Appointment Status Modification vulnerability discovered by MD. TAREQ AHAMED JONY itztrq - Knight Squad in WordPress Plugin Bookr versions = 1.0.2...

PT-2026-5889

Name of the Vulnerable Software and Affected Versions Magic Import Document Extractor plugin for WordPress versions up to and including 1.0.4 Description The software is susceptible to unauthorized data modification because of a missing authorization check within the ajax sync usage function. Thi...

CVE-2025-15511

The CVE-2025-15511 entry concerns the WordPress Rupantorpay plugin. It states that all versions up to and including 2.0.0 are vulnerable due to a missing capability check in handle_webhook(), enabling unauthenticated attackers to modify WooCommerce order statuses via crafted requests to the WooCo...

CVE-2025-14978 PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) <= 1.119.8 - Missing Authorization to Unauthenticated Order Status Modification

The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including,...

WordPress PeachPay - Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin <= 1.119.8 - Missing Authorization to Unauthenticated Order Status Modification vulnerability

WordPress PeachPay - Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net plugin = 1.119.8 - Missing Authorization to Unauthenticated Order Status Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugi...

CVE-2025-14854 WP-CRM System – Manage Clients and Projects <= 3.4.5 - Missing Authorization to Authenticated (Subscriber+) CRM Data Exposure and Task Modification

The WP-CRM System plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on the wpcrmgetemailrecipients and wpcrmsystemajaxtaskchangestatus AJAX functions in all versions up to, and including, 3.4.5. This makes it possible for authenticated attackers, with...

CVE-2025-14880

CVE-2025-14880 concerns the Netcash WooCommerce Payment Gateway plugin for WordPress. The vulnerability arises from a missing capability check in the handle_return_url function, present in all versions up to and including 4.1.3, enabling unauthenticated attackers to modify data and mark WooCommer...

WordPress Netcash WooCommerce Payment Gateway plugin <= 4.1.3 - Missing Authorization to Unauthenticated Order Status Modification vulnerability

Missing Authorization to Unauthenticated Order Status Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Netcash WooCommerce Payment Gateway versions = 4.1.3...

CVE-2025-14886

CVE-2025-14886 concerns Japanized for WooCommerce for WordPress. It is a data modification vulnerability due to missing capability check on the order REST API endpoint, affecting all versions up to and including 2.7.17. Unauthenticated attackers could mark any WooCommerce order as processed/compl...

CVE-2025-13149 Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.1 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification

The Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the "saveFutureActionData" function in all versions up to, and including,...

WordPress Post Expirator plugin <= 4.9.1 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification vulnerability

Authenticated Author+ Missing Authorization to Post/Page Status Modification vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Post Expirator versions = 4.9.1...

EUVD-2012-5414

Malware in sbrugna...

CVE-2025-55368

Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account...

CVE-2025-55368

CVE-2025-55368 affects jshERP v3.5 in the controller\RoleController.java, where an incorrect access control allows unauthorized attackers to arbitrarily modify the supplier status under any account. Multiple sources (RH, NVD, OSV, CNNVD, CVE list, PT Security) confirm the same description and ver...

jshERP 安全漏洞

jshERP Huaxia ERP is a homegrown ERP system by the individual developer of Ji Sheng Hua in China. A security vulnerability exists in jshERP version v3.5, which stems from improper access control in the RoleController.java component and could lead to modification of vendor status...

Device Status Modification Detected (High)

Changes in the controller state can stop operations altogether or start an operation that should not have been started. These operations can be used by an attacker to disrupt normal operation, cause production losses, or create safety concerns. This plugin only works with Tenable.ot. Please visit...