VYPR

WooCommerce

by WordPress

Source repositories

CVEs (31)

  • CVE-2026-3891CriMar 13, 2026
    risk 0.57cvss 9.8epss 0.01

    The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible…

  • CVE-2017-18356HigJan 15, 2019
    risk 0.57cvss 8.8epss 0.02

    In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP…

  • CVE-2017-17058HigNov 29, 2017
    risk 0.54cvss 7.5epss 0.24

    The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traversal is not possible because…

  • CVE-2018-20714HigJan 15, 2019
    risk 0.53cvss 8.1epss 0.02

    The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate…

  • CVE-2022-4106HigDec 19, 2022
    risk 0.49cvss 7.5epss 0.01

    The Wholesale Market for WooCommerce WordPress plugin before 1.0.7 does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.

  • CVE-2026-3589HigMar 6, 2026
    risk 0.42cvss 7.5epss 0.00

    The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

  • CVE-2023-47777MedNov 30, 2023
    risk 0.42cvss 6.5epss 0.01

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1.

  • CVE-2015-2329MedFeb 8, 2018
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order.

  • CVE-2026-6962MedMay 13, 2026
    risk 0.35cvss 6.4epss 0.00

    The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit' shortcodes in all versions up to, and including, 4.1.0 due to…

  • CVE-2022-1563MedJan 16, 2024
    risk 0.35cvss 5.3epss 0.01

    The WPGraphQL WooCommerce WordPress plugin before 0.12.4 does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL.

  • CVE-2023-7320MedOct 29, 2025
    risk 0.34cvss 5.3epss 0.00

    The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers…

  • CVE-2021-32790MedJul 26, 2021
    risk 0.32cvss 4.9epss 0.01

    Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can…

  • CVE-2025-49042MedOct 29, 2025
    risk 0.31cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 10.0.2.

  • CVE-2025-26762MedMar 27, 2025
    risk 0.31cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 9.7.0.

  • CVE-2024-39666MedAug 18, 2024
    risk 0.31cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2.

  • CVE-2016-10112MedJan 4, 2017
    risk 0.31cvss 4.8epss 0.01

    Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.

  • CVE-2024-1689MedJun 7, 2024
    risk 0.28cvss 4.3epss 0.00

    The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with…

  • CVE-2024-22155MedApr 7, 2024
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2.

  • CVE-2023-52222MedJan 8, 2024
    risk 0.28cvss 4.3epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.

  • CVE-2022-2099MedJul 17, 2022
    risk 0.24cvss 4.8epss 0.01

    The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles

Page 1 of 2

VYPR — Vulnerability Intelligence