Wppizza
Monthly
Sensitive subscriber data exposure in the WPPizza WordPress plugin (versions ≤ 3.19.9) permits any authenticated user with a subscriber-level account to access protected data belonging to other users, such as customer order records or personal information managed by the plugin. The vulnerability stems from insufficient access control enforcement on data retrieval functionality (CWE-497), where low-privilege users are permitted to query sensitive system information outside their authorization scope. No public exploit code or confirmed active exploitation has been identified at time of analysis, though the low access complexity makes opportunistic exploitation realistic on sites permitting public user registration.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS.18.13. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Sensitive subscriber data exposure in the WPPizza WordPress plugin (versions ≤ 3.19.9) permits any authenticated user with a subscriber-level account to access protected data belonging to other users, such as customer order records or personal information managed by the plugin. The vulnerability stems from insufficient access control enforcement on data retrieval functionality (CWE-497), where low-privilege users are permitted to query sensitive system information outside their authorization scope. No public exploit code or confirmed active exploitation has been identified at time of analysis, though the low access complexity makes opportunistic exploitation realistic on sites permitting public user registration.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ollybach WPPizza allows Reflected XSS.18.13. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauth. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.