EUVD-2025-37322

The WPC Name Your Price for WooCommerce plugin for WordPress is vulnerable to unauthorized price alteration in all versions up to, and including, 2.1.9. This is due to the plugin not disabling the ability to name a custom price when it has been specifically disabled for a product. This makes it...

EUVD-2023-12497

Malicious code in bioql PyPI...

Security vulnerability in product bundling feature

Description Our e-commerce platform offers a bundled sales promotion feature, allowing an administrator to bind the sale of a product to an addon. However, we have identified a security vulnerability that exists in this feature. After an administrator cancels a bundle offer, users can still make...

GroupBuy may purchase NFT not in the allowed list

Lines of code Vulnerability details The issue that is described in code-423n4/2022-12-tessera-findings14 was not mitigated and still applies like it is described there. --- The text was updated successfully, but these errors were encountered: All reactions...

Malicious Package in fast-requests

All versions of fast-requests contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your environment. Review your...

Android Keyboard App Could Swindle 40M Users Out of Millions

Researchers are warning users to delete a popular Android keyboard app that, once downloaded, makes unauthorized purchases of premium digital content. Google told Threatpost it has removed the app from its Google Play marketplace – but researchers say it was downloaded on at least 40 million phon...

Malicious Package

fast-requests is a malicious package. It uploads Discord user tokens to a remote server, allowing attackers to make purchases on behalf of users who have credit cards linked to their Discord accounts...

Malicious Package

Overview All versions of carloprojectdiscord contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your...

Malicious Package

Overview All versions of carloprojectlesang contain obfuscated malware that uploads Discord user tokens to a remote server. This allows attackers to make purchases on behalf of users if they have credit cards linked to their Discord accounts. Recommendation Remove the package from your environmen...

KeyRaider Malware Steals Certificates, Keys and Account Data From Jailbroken iPhones

Researchers have discovered a new strain of iOS malware dubbed KeyRaider that targets jailbroken devices and has the ability to steal certificates, private keys, and Apple account information. The malware already has claimed the private Apple account data of more than 225,000 victims. The KeyRaid...

eBay Open to Cross-Site Request Forgery, Account Hijacking

EBay is vulnerable to a hack that would allow an attacker to hijack an account and make unauthorized purchases from the victim’s account that would be difficult to disprove. The vulnerability was discovered and reported to eBay in August, and despite three separate communications from the online...

CVE-2013-5193

The App Store component in Apple iOS before 7.0.4 does not properly enforce an intended transaction-time password requirement, which allows local users to complete a 1 App purchase or 2 In-App purchase by leveraging previous entry of Apple ID credentials...

Design/Logic Flaw

The App Store component in Apple iOS before 7.0.4 does not properly enforce an intended transaction-time password requirement, which allows local users to complete a 1 App purchase or 2 In-App purchase by leveraging previous entry of Apple ID credentials...

CVE-2013-5193

The CVE-2013-5193 issue affects Apple iOS up to version 7.0.3, where the App Store component does not properly enforce a required transaction password, allowing a local user to complete (1) App purchases or (2) In‑App purchases by using previously entered Apple ID credentials. The root cause is i...

Cross site request forgery (csrf)

Cross-site request forgery CSRF vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase...

Design/Logic Flaw

The Restrictions aka Parental Controls implementation in Apple iOS before 6 does not properly handle purchase attempts after a Disable Restrictions action, which allows local users to bypass an intended Apple ID authentication step via an app that performs purchase transactions...

Romanian Men Indicting For Hacking 150 Subway Restaurants

Four Romanian nationals were charged with hacking into the credit card processing systems of some 150 Subway sandwich shops and those of 50 other unnamed retailers, according to a copy of the indictment PDF. The four men and two co-conspirators, identified by their online pseudonyms,...