Lucene search
K

33 matches found

NVD
NVD
added 4 days ago7 views

CVE-2026-9857

The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...

4.3CVSS0.00288EPSS
Exploits0References12
CVE
CVE
added 4 days ago11 views

CVE-2026-9857

The CVE concerns the WordPress Invoice123 plugin (versions

4.3CVSS6.1AI score0.00288EPSS
Exploits0References12
Cvelist
Cvelist
added 4 days ago36 views

CVE-2026-9857 Invoice123 <= 1.7.0 - Missing Authorization to Authenticated (Subscriber+) Setting Modification via s123_submit_api_key & s123_submit_invoice_settings AJAX actions

The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...

4.3CVSS0.00288EPSS
Exploits0References12
NVD
NVD
added 2026/02/03 7:16 p.m.8 views

CVE-2026-25487

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...

6.1CVSS0.00261EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/02/03 6:7 p.m.32 views

CVE-2026-25487 Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...

6.1CVSS0.00261EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/02/03 6:7 p.m.2 views

CVE-2026-25487

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...

6.1CVSS5.5AI score0.00261EPSS
Exploits1References5Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/03 6:7 p.m.1 views

CVE-2026-25487 Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...

6.1CVSS5.5AI score0.00261EPSS
Exploits1References4
CVE
CVE
added 2026/02/03 6:7 p.m.17 views

CVE-2026-25487

CVE-2026-25487 affects Craft Commerce (Craft CMS). A stored XSS flaw exists in the Tax Rates Name field displayed in the admin Store Management panel. Affected versions are 4.0.0-RC1 through 4.10.0 and 5.0.0 through 5.5.1. The issue enables attackers with store settings/taxes permissions to injec...

6.1CVSS5.5AI score0.00261EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/02/03 6:7 p.m.5 views

EUVD-2026-5205

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...

6.1CVSS5.5AI score0.00261EPSS
Exploits1References4
OSV
OSV
added 2026/02/03 6:7 p.m.5 views

CVE-2026-25487 Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...

6.1CVSS5.5AI score0.00261EPSS
Exploits1References6
Snyk
Snyk
added 2026/02/02 10:51 p.m.4 views

Cross-site Scripting (XSS)

Overview craftcms/commerce is a Craft Commerce Affected versions of this package are vulnerable to Cross-site Scripting XSS in the Name field of the tax rates management section. An attacker can execute arbitrary JavaScript code in an administrator's browser by submitting specially crafted input,...

6.1CVSS5.6AI score0.00261EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/02/02 10:51 p.m.6 views

Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Summary A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. Proof of Concept...

6.1CVSS5.7AI score0.00261EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2026/02/02 10:51 p.m.3 views

GHSA-WQC5-485V-3HQH Craft CMS has Stored XSS in Tax Rates Name Leading to Potential Privilege Escalation

Summary A stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the Store Management section is not properly sanitized before being displayed in the admin panel. Proof of Concept...

6.1CVSS5.8AI score0.00261EPSS
Exploits1References6
Positive Technologies
Positive Technologies
added 2026/02/02 12:0 a.m.5 views

PT-2026-5747

Name of the Vulnerable Software and Affected Versions Craft Commerce versions 4.0.0-RC1 through 4.10.0 Craft Commerce versions 5.0.0 through 5.5.1 Description Craft Commerce, an ecommerce platform for Craft CMS, contains a stored cross-site scripting XSS issue. The issue resides in the Tax Rates...

6.1CVSS5.2AI score0.00261EPSS
Exploits1References9
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2025-28821

Malicious code in bioql PyPI...

5.4CVSS4.8AI score0.00264EPSS
Exploits1References5
OSV
OSV
added 2025/08/29 5:15 p.m.8 views

CVE-2025-55579

SolidInvoice version 2.3.7 is vulnerable to a Stored Cross-Site Scripting XSS issue in the Tax Rates functionality. The vulnerability is fixed in version 2.3.8...

5.4CVSS5.8AI score0.00245EPSS
Exploits2References2
RedhatCVE
RedhatCVE
added 2025/08/21 10:29 p.m.7 views

CVE-2025-9170

A vulnerability was identified in SolidInvoice up to 2.4.0. The affected element is an unknown function of the file /tax/rates of the component Tax Rates Module. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly...

5.4CVSS6.4AI score0.00264EPSS
Exploits1References1
OSV
OSV
added 2025/08/19 10:15 p.m.5 views

CVE-2025-9170

A vulnerability was identified in SolidInvoice up to 2.4.0. The affected element is an unknown function of the file /tax/rates of the component Tax Rates Module. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly...

5.4CVSS3.9AI score0.00264EPSS
Exploits1References5
NVD
NVD
added 2025/08/19 10:15 p.m.8 views

CVE-2025-9170

A vulnerability was identified in SolidInvoice up to 2.4.0. The affected element is an unknown function of the file /tax/rates of the component Tax Rates Module. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly...

5.4CVSS0.00264EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2025/08/19 10:2 p.m.4 views

CVE-2025-9170 SolidInvoice Tax Rates rates cross site scripting

A vulnerability was identified in SolidInvoice up to 2.4.0. The affected element is an unknown function of the file /tax/rates of the component Tax Rates Module. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly...

5.1CVSS6.3AI score0.00264EPSS
Exploits1References5
Rows per page
Query Builder