CVE-2026-3177 Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook...

📄 Alipay Open Redirect / API Attacker Payload Insertion

A single crafted URL enables a complete attack chain against Alipay mobile application users that can allow for data exfiltration. As the vendor has stated this is normal behavior with no apparent plans to address the problem, this is being published to make users aware. Alipay Mobile App -...

PT-2026-8397

Name of the Vulnerable Software and Affected Versions Zarinpal Gateway for WooCommerce plugin versions prior to 5.0.17 Description The Zarinpal Gateway for WooCommerce plugin for WordPress has an issue with Improper Access Control to Payment Status Update. The payment callback handler Return from...

WordPress plugin CP Contact Form with PayPal 安全漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. A security vulnerability exists in the WordPress plugin CP Contact Form with PayPal, which stem...

CVE-2025-11564

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it...

CVE-2025-1766 Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.24 - Missing Authorization to Unauthenticated Payment Status Update

The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'paymentcomplete' function in all versions up to, and including, 4.0.24. This makes it possible for unauthenticated...

Kraden: Business Logic Flaw in the subscription of the app

Summary: Hello Security Team Business logic vulnerabilities are flaws in the design and implementation of an application that allow an attacker to elicit unintended behavior. This potentially enables attackers to manipulate legitimate functionality to achieve a malicious goal. Steps To Reproduce:...

CVE-2017-12842

Bitcoin Core before 0.14 is vulnerable to an SPV proof manipulation flaw. An attacker can craft an ostensibly valid SPV proof for a payment to a victim’s SPV wallet even if the payment never occurred, potentially misleading the wallet into accepting non-existent transactions. The attack cost is d...