37 matches found
CVE-2026-9284
The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the ppc-create-order and ppc-get-order WC-AJAX endpoints in all versions up to, and including, 4.0.1. The ppc-create-order endpoi...
CVE-2026-1710
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveupeappearanceajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to...
CVE-2026-1710
CVE-2026-1710 affects the WooPayments: Integrated WooCommerce Payments plugin for WordPress. A missing capability check in the save_upe_appearance_ajax function allows unauthenticated attackers to modify plugin settings on all versions up to and including 10.5.1. Impact is unauthenticated data mo...
CVE-2026-1710 WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveupeappearanceajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to...
CVE-2026-1710 WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveupeappearanceajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to...
CVE-2026-1710
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveupeappearanceajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to...
WordPress plugin WooPayments: Integrated WooCommerce Payments 授权问题漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
PT-2026-29191
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save upe appearance ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers ...
CVE-2025-9463 Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net <= 1.117.5 - Authenticated (Contributor+) SQL Injection via order_by Parameter
The Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 1.117.5 due to insufficient escaping on the user supplied parameter and...
CVE-2023-28121
An issue in WooCommerce Payments plugin for WordPress versions 5.6.1 and lower allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the...
Exploit for Improper Authentication in Automattic Woocommerce_Payments
CVE-2023-28121 usage: CVE-2023-28121.py -h -v RHOST R...
Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation
This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Wordpress Plugin WooCommerce Payments Unauthenticated Admin Creation', 'Description' = %q WooCommerce-Payments plugin for Wordpress versions 4.8'...
WordPress WooCommerce Payments Plugin <= 6.6.2 is vulnerable to Insecure Direct Object References (IDOR)
Software WooCommerce Payments Type Plugin Vulnerable versions = 6.6.2 Fixed in 6.7.0 OWASP Top 10 A1: Broken Access Control Classification Insecure Direct Object References IDOR CVE CVE-2023-51503 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 37fceefefd1e Credits Rafie...
WordPress WooCommerce Payments Plugin <= 6.4.2 is vulnerable to Cross Site Scripting (XSS)
Software WooCommerce Payments Type Plugin Vulnerable versions = 6.4.2 Fixed in 6.5.0 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2023-49828 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 702b702ee838 Credits Rafie Muhammad Patchstack Require...
Exploit for Improper Authentication in Automattic Woocommerce_Payments
WP-CVE-2023-28121 WooCommerce Payments Python 2.7 Buy Coff...
WooCommerce Payments Plugin for WordPress 6.2.x < 6.2.2 Authentication Bypass
The WooCommerce Payments Plugin installed on the remote host is affected by an authentication bypass vulnerability. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No source data...
WooCommerce Payments Plugin for WordPress 5.3.x < 5.3.1 Authentication Bypass
The WooCommerce Payments Plugin installed on the remote host is affected by an authentication bypass vulnerability. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No source data...
WooCommerce Payments < 4.9.0 - Subscription Suspension/Activation via CSRF
Description The plugin does not have CSRF check when suspending and activating subscriptions, which could allow attackers to make a logged in admin suspend or activate arbitrary subscription via a CSRF attack Deactivate subscription with ID 53:...
Attacks, Vulnerabilities and Actors 17 July to 23 July 2023
For a detailed threat digest, download the pdf file here Summary HiveForce Labs recently made several significant discoveries related to cybersecurity threats. Over the past week, the fact that there were a total of eleven attacks executed, nine vulnerabilities, and three different adversaries...
Massive Targeted Exploit Campaign Against WooCommerce Payments Underway
The Wordfence Threat Intelligence team has been monitoring an ongoing exploit campaign targeting a recently disclosed vulnerability in WooCommerce Payments, a plugin installed on over 600,000 sites. Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14...