WordPress Payment Gateway for Redsys & WooCommerce Lite plugin <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation vulnerability

Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin Redsys for WooCommerce Light versions = 7.0.0...

CVE-2026-5050 Payment Gateway for Redsys & WooCommerce Lite <= 7.0.0 - Improper Verification of Cryptographic Signature to Unauthenticated Payment Status Manipulation

The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successfulrequest handlers calculating a local signature but not validating DsSignature from the request before...

WordPress Fluent Forms Pro Add On Pack plugin <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification vulnerability

Missing Authorization to Unauthenticated Payment Status modification vulnerability discovered by Prickly Cactus in WordPress Plugin Fluent Forms Pro Add On Pack versions = 6.1.17...

CVE-2025-14444

CVE-2025-14444 – RegistrationMagic for WordPress has a payment bypass vulnerability in the process_paypal_sdk_payment path. The issue arises from trusting client-supplied payment data without validating that PayPal payment actually completed, enabling unauthenticated users to activate registratio...

WordPress RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin <= 6.0.6.9 - Unauthenticated Payment Bypass via rm_process_paypal_sdk_payment vulnerability

WordPress RegistrationMagic - Custom Registration Forms, User Registration, Payment, and User Login plugin = 6.0.6.9 - Unauthenticated Payment Bypass via rmprocesspaypalsdkpayment vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin RegistrationMagi...

WordPress SureForms - Drag and Drop Form Builder for WordPress plugin <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation vulnerability

WordPress SureForms - Drag and Drop Form Builder for WordPress plugin = 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation vulnerability discovered by andrea bocchetti in WordPress Plugin SureForms versions = 2.2.1...

CVE-2025-14757 Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the completepayment AJAX action being registered via wpajaxnopriv,...

WordPress SKT PayPal for WooCommerce plugin <= 1.4 - Unauthenticated Payment Bypass vulnerability

Unauthenticated Payment Bypass vulnerability discovered by ch4r0n - FPT Software in WordPress Plugin SKT PayPal for WooCommerce versions = 1.4...

EUVD-2025-84360

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the...

CVE-2025-12788

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the...

CVE-2025-12788 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to missing payment verification to unauthenticated payment bypass in all versions up to, and including, 1.1.27. This is due to the plugin accepting client-controlled payment confirmation data in the...

WordPress Tutor LMS plugin <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update vulnerability

Missing Authorization to Unauthenticated Payment Status Update vulnerability discovered by Rafshanzani Suhada in WordPress Plugin Tutor LMS versions = 3.8.3...

CVE-2024-1175 WP-Recall – Registration, Profile, Commerce & More <= 16.26.6 - Unauthenticated Payment Deletion via delete_payment

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deletepayment' function in all versions up to, and including, 16.26.6. This makes it possible for unauthenticated attackers to delete...

CVE-2024-1175 WP-Recall – Registration, Profile, Commerce & More <= 16.26.6 - Unauthenticated Payment Deletion via delete_payment

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deletepayment' function in all versions up to, and including, 16.26.6. This makes it possible for unauthenticated attackers to delete...

CVE-2024-2382 Authorize.net Payment Gateway For WooCommerce <= 8.0 - Insufficient Verification of Data Authenticity to Unauthenticated Payment Bypass

The Authorize.net Payment Gateway For WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 8.0. This is due to the plugin not properly verifying the authenticity of the request that updates a orders payment status. This makes it possible for...