CVE-2026-9284

The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints in all versions up to, and including, 4.0.1. The ppc-create-order endpoi...

CVE-2026-9284

The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints in all versions up to, and including, 4.0.1. The ppc-create-order endpoi...

WordPress Appmax plugin <= 1.0.3 - Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint vulnerability

Missing Authorization to Order Status Manipulation and Arbitrary Order Creation via Webhook Endpoint vulnerability discovered by WordFence in WordPress Plugin Appmax versions = 1.0.3...

CVE-2025-14461 Xendit Payment <= 6.0.2 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid

The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint wcxenditcallback that processes payment callbacks without any...

PT-2026-5879

Name of the Vulnerable Software and Affected Versions Xendit Payment plugin for WordPress versions up to and including 6.0.2 Description The Xendit Payment plugin for WordPress is susceptible to unauthorized modification of order statuses. This occurs because the plugin exposes a publicly...

CVE-2025-14463

The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint wppaypalcheckoutajaxprocessorder that processes checkout results without any authentication or...

CVE-2025-15475

CVE-2025-15475 affects the PayHere Payment Gateway Plugin for WooCommerce (WordPress). The issue arises from improper validation in the check_payhere_response function, allowing unauthenticated attackers to modify data and change the status of pending WooCommerce orders to paid/completed/on hold ...

CVE-2025-15512

The CVE-2025-15512 entry describes a vulnerability in the WordPress Aplazo Payment Gateway plugin (versions up to and including 1.4.2) where a missing capability check in check_success_response() allows unauthenticated attackers to modify any WooCommerce order to the pending payment status. Multi...

CVE-2025-14460

The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized order status modification in all versions up to, and including, 3.1.4. This is due to missing authorization checks on the payment callback endpoint handler when processing the 'fail' callback from the...

PT-2026-1636

Name of the Vulnerable Software and Affected Versions Piraeus Bank WooCommerce Payment Gateway plugin for WordPress versions through 3.1.4 Description The Piraeus Bank WooCommerce Payment Gateway plugin for WordPress is susceptible to unauthorized modification of order statuses. This is a result ...

EverShop is vulnerable to Unauthorized Order Information Access (IDOR)

A vulnerability was detected in EverShop up to 2.0.1. Affected is an unknown function of the file /src/modules/oms/graphql/types/Order/Order.resolvers.js of the component Order Handler. The manipulation of the argument uuid results in improper control of resource identifiers. The attack may be...

EUVD-2024-0229

Malicious code in bioql PyPI...

EUVD-2025-4447

Malicious code in bioql PyPI...

EUVD-2024-54087

Malicious code in bioql PyPI...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the indexonUpdateStatus function in Orders.php, which does not check for the permissions of the user before modifying an order. Remediation Upgrade tastyigniter/tastyigniter to version 4.0.0-beta.1 or higher...

TastyIgniter Has an Incorrect Access Control Vulnerability

TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order statuses. The issue occurs in the indexonUpdateStatus function within Orders.php, which fails to verify if the user has permission to modify an order'...

CVE-2024-44314

TastyIgniter 3.7.6 contains an Incorrect Access Control in the Orders Management System. The vulnerability resides in Orders.php: index_onUpdateStatus(), which fails to verify a user’s permission before updating an order’s status. This allows unauthorized users to remotely modify orders (I:H, P:L...

CVE-2024-13798

The Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 2.3.5. This is due to insufficient verification on form fields. This makes it possible for unauthenticated attackers to create new orders for...

CVE-2024-13798

The Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 2.3.5. This is due to insufficient verification on form fields. This makes it possible for unauthenticated attackers to create new orders for...

CVE-2024-13798

The Post Grid and Gutenberg Blocks – ComboBlocks plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 2.3.5. This is due to insufficient verification on form fields. This makes it possible for unauthenticated attackers to create new orders for...