Lucene search
+L

3529 matches found

NVD
NVD
added yesterday6 views

CVE-2026-12393

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders...

5.4CVSS0.00132EPSS
Exploits0References1
CVE
CVE
added yesterday13 views

CVE-2026-12393

The vulnerability CVE-2026-12393 affects the WPS Bookings for WooCommerce WordPress plugin prior to version 3.11.7. The root cause is that the plugin does not verify that a booking order belongs to the requesting user before cancellation, enabling any authenticated user (e.g., Subscriber/Customer...

5.4CVSS6.1AI score0.00132EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday25 views

CVE-2026-12393 WPS Bookings for WooCommerce < 3.11.7 - Subscriber+ Arbitrary Booking Order Cancellation via IDOR

The WPS Bookings for WooCommerce WordPress plugin before 3.11.7 does not verify that a booking order belongs to the requesting user before cancelling it, allowing any authenticated user, such as a Subscriber or Customer, to cancel and void other customers' booking orders...

0.00132EPSS
Exploits0References1
NVD
NVD
added yesterday9 views

CVE-2026-15349

The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00272EPSS
Exploits0References10
Nuclei
Nuclei
added yesterday21 views

WCAPF WooCommerce Ajax Product Filter - SQL Injection

WCAPF WooCommerce Ajax Product Filter = 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely. id: CVE-2026-3396 info: name: WCAPF WooCommerce Ajax Product Filter ...

7.5CVSS5.6AI score0.01473EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday35 views

Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update

YIKES Inc. Custom Product Tabs for WooCommerce plugin \u003C= 1.7.7 contains a broken access control caused by improper permission checks in &yikes-the-content-toggle option update, letting attackers modify content without authorization. id: CVE-2022-28666 info: name: Custom Product Tabs for...

5.3CVSS5.6AI score0.01226EPSS
Exploits1References1
Nuclei
Nuclei
added yesterday36 views

WordPress OrderConvo < 14 - Path Traversal

WooCommerce OrderConvo WordPress plugin \u003C 14 contains a path traversal vulnerability caused by improper validation of file download paths, letting unauthenticated attackers read or download arbitrary files remotely id: CVE-2025-10162 info: name: WordPress OrderConvo 14 - Path Traversal autho...

7.5CVSS5.4AI score0.03632EPSS
Exploits4References3
ATTACKERKB
ATTACKERKB
added yesterday5 views

CVE-2026-15349

The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS6.2AI score0.00272EPSS
Exploits0References11
Nuclei
Nuclei
added 2 days ago17 views

Hippoo Mobile App for WooCommerce <= 1.9.4 - Authentication Bypass to Admin Account Takeover

Hippoo Mobile App for WooCommerce WordPress plugin = 1.9.4 contains an authentication bypass caused by logic conflation in user permission checks, letting unauthenticated attackers take over administrator accounts via REST API password reset. id: CVE-2026-10580 info: name: Hippoo Mobile App for...

9.8CVSS6.1AI score0.02841EPSS
Exploits1References2
EUVD
EUVD
added 2 days ago9 views

EUVD-2026-44902

The SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rowtype' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it...

4.4CVSS6.2AI score0.00208EPSS
Exploits0References8
Cvelist
Cvelist
added 2 days ago40 views

CVE-2026-15324 SysBasics Customize My Account for WooCommerce <= 4.4.14 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'row_type' Parameter

The SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rowtype' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it...

4.4CVSS0.00208EPSS
Exploits0References8
NVD
NVD
added 2 days ago9 views

CVE-2026-12585

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is...

8.1CVSS0.00226EPSS
Exploits0References1
NVD
NVD
added 2 days ago7 views

CVE-2026-12684

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files bounded to an image a...

6.5CVSS0.00249EPSS
Exploits0References1
NVD
NVD
added 2 days ago8 views

CVE-2026-12492

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well ...

9.8CVSS0.00283EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-44877

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files bounded to an image a...

6.5CVSS6.1AI score0.00249EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-44876

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is...

8.1CVSS6.1AI score0.00226EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago36 views

CVE-2026-12492 Happy Coders OTP Login for WooCommerce < 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well ...

0.00283EPSS
Exploits0References1
CVE
CVE
added 2 days ago13 views

CVE-2026-12492

The CVE-2026-12492 entry concerns the Happy Coders OTP Login for WooCommerce WordPress plugin prior to 2.8. The root cause is that the plugin does not verify that a One-Time Password was actually validated before authenticating a user based on a provided identifier. This enables unauthenticated a...

9.8CVSS6.1AI score0.00283EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago41 views

CVE-2026-12585 Abandoned Cart Lite for WooCommerce < 6.8.2 - Unauthenticated Account Takeover via Malleable Recovery-Link Token

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is...

0.00226EPSS
Exploits0References1
CVE
CVE
added 2 days ago17 views

CVE-2026-12585

The CVE-2026-12585 describes a vulnerability in the Abandoned Cart Lite for WooCommerce WordPress plugin (versions before 6.8.2). The root cause is failure to protect the integrity of cart-recovery tokens and failure to bind them to the requesting account, enabling unauthenticated attackers to fo...

8.1CVSS6.1AI score0.00226EPSS
Exploits0References1
Rows per page
Query Builder