16 matches found
CVE-2026-11567
CVE-2026-11567 affects the SureForms WordPress plugin prior to 2.11.1. The vulnerability is a failure to properly validate the payment amount on forms that use a dynamically sourced (variable/hidden) payment amount, enabling unauthenticated users to underpay for the configured product or subscrip...
EUVD-2026-43625
The SureForms WordPress plugin before 2.11.1 does not properly validate the payment amount on forms that use a dynamically-sourced variable/hidden payment amount, allowing unauthenticated users to underpay for the configured product or subscription. Forms using a fixed configured price are not...
CVE-2026-43928
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount mcgross to the client's balance without validating it against the invoice total. Combined with a $0.05...
CVE-2026-43928 FOSSBilling: Payment amount not validated in PayPalEmail adapter allows invoice underpayment
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount mcgross to the client's balance without validating it against the invoice total. Combined with a $0.05...
CVE-2026-43928
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount mcgross to the client's balance without validating it against the invoice total. Combined with a $0.05...
CVE-2026-43928
FOSSBilling PayPalEmail integration before 0.8.0 credits mc_gross from IPN without validating against the invoice total, combined with a $0.05 epsilon in the credit logic, enabling underpayment of up to $0.04 while marking invoices as paid. Version 0.8.0 patches the issue. No public workaround ex...
CVE-2026-43928 FOSSBilling: Payment amount not validated in PayPalEmail adapter allows invoice underpayment
FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, the PayPalEmail payment adapter accepts PayPal IPN callbacks and credits the IPN-supplied amount mcgross to the client's balance without validating it against the invoice total. Combined with a $0.05...
PT-2026-56032
Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0 Description The PayPalEmail payment adapter fails to validate the amount supplied via PayPal IPN Instant Payment Notification callbacks, specifically the mc gross variable, against the actual invoice total...
CVE-2026-2729 Forminator – Contact Form, Payment Form & Custom Form Builder <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass via 'paymentid' Parameter
The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public...
CVE-2026-2729
CVE-2026-2729 affects the WordPress plugin Forminator (versions up to 1.52.0). The vulnerability arises from missing authorization when processing attacker-supplied Stripe PaymentIntent identifiers during the public payment flow, allowing unauthenticated attackers to submit high-value paid forms ...
WordPress Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass vulnerability
Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass vulnerability discovered by Kittipat Jitphonchana in WordPress Plugin Forminator versions = 1.52.0...
A user could call mint() with less ETH than the mintPrice and improperly mint badges for a cheaper cost.
Lines of code Vulnerability details Impact users underpaying to mint badges will lead to loss of funds Proof of Concept It checks if msg.value is less than the required mintPrice, but it does not check for the case where msg.value mintPrice. This means: A user could send only 1 wei when the...
Borrower can pay very little collateral for a huge amount of more valuable asset.
Lines of code Vulnerability details Impact When an approved borrower calls borrowAsset , they are able to borrow as much asset as possible and passing the user controlled collateralAmount input with a lesser value worth of collateral. For example, a user can pay 1 USDC collateral and receive 1000...
IndexPool's flashswap trasfer before callback
Handle 0xsanson Vulnerability details Impact The flashswap function in IndexPool.sol doesn't fulfill its function. Indeed it should transfer tokens to the users before they need to pay back, but the transfer happens at the end: ... ITridentCalleemsg.sender.tridentSwapCallbackcontext; // @dev Chec...
c-lightning Security Vulnerabilities
A security vulnerability exists in c-lightning versions prior to 0.7.1 that stems from incorrect access control. A remote attacker could exploit the vulnerability by not paying or underpaying the total cash amount of a transaction...
Eclair has a logic flaw vulnerability
Eclair is a flash wallet for Android based systems.Eclair to 0.3 allows an attacker to trigger a loss of funds due to incorrect access control. An attacker could use the vulnerability to not pay or underpay the total amount of cash...