Vendor CVEs
WooCommerce
All CVEs
62 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-8425 | Cri | 0.67 | 9.8 | 0.04 | Feb 28, 2025 | The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.9.2. This makes… | ||
| CVE-2025-14301 | Cri | 0.64 | 9.8 | 0.01 | Jan 14, 2026 | The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce… | ||
| CVE-2023-33318 | Cri | 0.64 | 9.9 | 0.01 | Dec 20, 2023 | Unrestricted Upload of File with Dangerous Type vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.40. | ||
| CVE-2026-3891 | Cri | 0.57 | 9.8 | 0.01 | Mar 13, 2026 | The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible… | ||
| CVE-2023-33330 | Hig | 0.55 | 8.5 | 0.01 | Dec 20, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.50. | ||
| CVE-2023-32795 | Hig | 0.53 | 8.2 | 0.01 | Dec 28, 2023 | Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3. | ||
| CVE-2025-11722 | Hig | 0.49 | 7.5 | 0.01 | Oct 15, 2025 | The Woocommerce Category and Products Accordion Panel plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'categoryaccordionpanel' shortcode. This makes it possible for authenticated attackers, with Contributor-level… | ||
| CVE-2023-32743 | Hig | 0.49 | 7.6 | 0.01 | Dec 20, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1. | ||
| CVE-2024-7027 | Hig | 0.47 | 7.3 | 0.00 | Jul 24, 2024 | The WooCommerce - PDF Vouchers plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.9.3. This is due to insufficient verification on the user being supplied during a QR code login through the plugin. This makes it possible for… | ||
| CVE-2024-27193 | Hig | 0.46 | 7.1 | 0.00 | Mar 15, 2024 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PayU India PayU India payu-india allows DOM-Based XSS.This issue affects PayU India: from n/a through <= 3.8.8. | ||
| CVE-2026-3589 | Hig | 0.42 | 7.5 | 0.00 | Mar 6, 2026 | The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example. | ||
| CVE-2026-2232 | Hig | 0.42 | 7.5 | 0.00 | Feb 19, 2026 | The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient… | ||
| CVE-2025-15033 | Med | 0.42 | 6.5 | 0.00 | Dec 22, 2025 | A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting… | ||
| CVE-2024-12517 | Med | 0.42 | 6.4 | 0.00 | Dec 14, 2024 | The WooCommerce Cart Count Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cart_button' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes.… | ||
| CVE-2023-36512 | Med | 0.42 | 6.5 | 0.00 | Jun 19, 2024 | Missing Authorization vulnerability in Woo AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.5. | ||
| CVE-2024-24799 | Med | 0.42 | 6.5 | 0.01 | Mar 26, 2024 | Missing Authorization vulnerability in WooCommerce WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.2.2. | ||
| CVE-2023-32799 | Med | 0.42 | 6.5 | 0.01 | Dec 21, 2023 | Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3. | ||
| CVE-2026-2019 | Hig | 0.40 | 7.2 | 0.00 | Feb 18, 2026 | The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible… | ||
| CVE-2024-11276 | Med | 0.40 | 6.1 | 0.00 | Dec 6, 2024 | The PDF Builder for WooCommerce. Create invoices,packing slips and more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.2.136 due to insufficient input sanitization and output escaping. This… | ||
| CVE-2025-57891 | Med | 0.38 | 5.9 | 0.00 | Aug 22, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpecommerce Recurring PayPal Donations recurring-donation allows Stored XSS.This issue affects Recurring PayPal Donations: from n/a through <= 1.8. | ||
| CVE-2026-6962 | Med | 0.35 | 6.4 | 0.00 | May 13, 2026 | The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit' shortcodes in all versions up to, and including, 4.1.0 due to… | ||
| CVE-2024-13355 | Med | 0.35 | 5.4 | 0.00 | Jan 16, 2025 | The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for… | ||
| CVE-2023-44999 | Med | 0.35 | 5.4 | 0.00 | Mar 27, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.0. | ||
| CVE-2023-32794 | Med | 0.35 | 5.4 | 0.00 | Nov 9, 2023 | Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Product Add-Ons plugin <= 6.1.3 versions. | ||
| CVE-2023-32745 | Med | 0.35 | 5.4 | 0.00 | Nov 9, 2023 | Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce AutomateWoo plugin <= 5.7.1 versions. | ||
| CVE-2023-32744 | Med | 0.35 | 5.4 | 0.00 | Nov 9, 2023 | Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Product Recommendations plugin <= 2.3.0 versions. | ||
| CVE-2023-7320 | Med | 0.34 | 5.3 | 0.00 | Oct 29, 2025 | The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers… | ||
| CVE-2024-43219 | Med | 0.34 | 5.3 | 0.00 | Nov 1, 2024 | Missing Authorization vulnerability in ووکامرس فارسی Persian WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Persian WooCommerce: from n/a through 7.1.6. | ||
| CVE-2016-10112 | Med | 0.31 | 4.8 | 0.01 | Jan 4, 2017 | Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. | ||
| CVE-2026-6447 | Med | 0.29 | 4.4 | 0.00 | May 2, 2026 | The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,… | ||
| CVE-2025-1284 | Med | 0.28 | 4.3 | 0.00 | Apr 24, 2025 | The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user… | ||
| CVE-2024-1689 | Med | 0.28 | 4.3 | 0.00 | Jun 7, 2024 | The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with… | ||
| CVE-2023-52222 | Med | 0.28 | 4.3 | 0.00 | Jan 8, 2024 | Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2. | ||
| CVE-2025-13389 | Med | 0.27 | 5.3 | 0.00 | Nov 25, 2025 | The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for… | ||
| CVE-2021-32789 | 0.07 | — | 0.17 | Jul 26, 2021 | woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL,… | |||
| CVE-2018-20782 | 0.04 | — | 0.10 | Feb 17, 2019 | The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN messages. | |||
| CVE-2023-0865 | 0.01 | — | 0.01 | Mar 20, 2023 | The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before 21.7 does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as… | |||
| CVE-2025-5062 | 0.00 | — | 0.00 | May 22, 2025 | The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for… | |||
| CVE-2024-10563 | 0.00 | — | 0.00 | Feb 26, 2025 | The WooCommerce Cart Count Shortcode WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored… | |||
| CVE-2024-13792 | 0.00 | — | 0.01 | Feb 20, 2025 | The WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.2. This is due to the software allowing users to execute an action that does not properly validate a value before… | |||
| CVE-2024-13694 | 0.00 | — | 0.01 | Jan 30, 2025 | The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a… | |||
| CVE-2024-10820 | 0.00 | — | 0.01 | Nov 13, 2024 | The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 84.3. This makes it possible for unauthenticated attackers to upload arbitrary files… | |||
| CVE-2024-10711 | 0.00 | — | 0.00 | Nov 5, 2024 | The WooCommerce Report plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to… | |||
| CVE-2024-9927 | 0.00 | — | 0.00 | Oct 23, 2024 | The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allow_payment_without_login function. This makes it possible for authenticated… | |||
| CVE-2024-9944 | 0.00 | — | 0.01 | Oct 15, 2024 | The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject… | |||
| CVE-2022-3459 | 0.00 | — | 0.00 | Sep 14, 2024 | The WooCommerce Multiple Free Gift plugin for WordPress is vulnerable to gift manipulation in all versions up to, and including, 1.2.3. This is due to plugin not enforcing server-side checks on the products that can be added as a gift. This makes it possible for unauthenticated… | |||
| CVE-2024-7258 | 0.00 | — | 0.01 | Aug 23, 2024 | The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wppfm_removeFeedFile' function in all versions up to, and including, 2.8.0. This makes it possible for authenticated attackers, with… | |||
| CVE-2024-3983 | 0.00 | — | 0.00 | Aug 1, 2024 | The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks | |||
| CVE-2023-35049 | 0.00 | — | 0.01 | Jun 19, 2024 | Missing Authorization vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.4.0. | |||
| CVE-2024-37297 | 0.00 | — | 0.00 | Jun 12, 2024 | WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database,… |
- risk 0.67cvss 9.8epss 0.04
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.9.2. This makes…
- risk 0.64cvss 9.8epss 0.01
The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. This is due to the `process_table_bulk_actions()` function processing user-supplied file paths without authentication checks, nonce…
- risk 0.64cvss 9.9epss 0.01
Unrestricted Upload of File with Dangerous Type vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.40.
- risk 0.57cvss 9.8epss 0.01
The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible…
- risk 0.55cvss 8.5epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.50.
- risk 0.53cvss 8.2epss 0.01
Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3.
- risk 0.49cvss 7.5epss 0.01
The Woocommerce Category and Products Accordion Panel plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'categoryaccordionpanel' shortcode. This makes it possible for authenticated attackers, with Contributor-level…
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1.
- risk 0.47cvss 7.3epss 0.00
The WooCommerce - PDF Vouchers plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 4.9.3. This is due to insufficient verification on the user being supplied during a QR code login through the plugin. This makes it possible for…
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PayU India PayU India payu-india allows DOM-Based XSS.This issue affects PayU India: from n/a through <= 3.8.8.
- risk 0.42cvss 7.5epss 0.00
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
- risk 0.42cvss 7.5epss 0.00
The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient…
- risk 0.42cvss 6.5epss 0.00
A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting…
- risk 0.42cvss 6.4epss 0.00
The WooCommerce Cart Count Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cart_button' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes.…
- risk 0.42cvss 6.5epss 0.00
Missing Authorization vulnerability in Woo AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.5.
- risk 0.42cvss 6.5epss 0.01
Missing Authorization vulnerability in WooCommerce WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.2.2.
- risk 0.42cvss 6.5epss 0.01
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3.
- risk 0.40cvss 7.2epss 0.00
The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible…
- risk 0.40cvss 6.1epss 0.00
The PDF Builder for WooCommerce. Create invoices,packing slips and more plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.2.136 due to insufficient input sanitization and output escaping. This…
- risk 0.38cvss 5.9epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpecommerce Recurring PayPal Donations recurring-donation allows Stored XSS.This issue affects Recurring PayPal Donations: from n/a through <= 1.8.
- risk 0.35cvss 6.4epss 0.00
The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit' shortcodes in all versions up to, and including, 4.1.0 due to…
- risk 0.35cvss 5.4epss 0.00
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to limited file uploads due to insufficient file type validation in the upload_file() function in all versions up to, and including, 13.2. This makes it possible for…
- risk 0.35cvss 5.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.0.
- risk 0.35cvss 5.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Product Add-Ons plugin <= 6.1.3 versions.
- risk 0.35cvss 5.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce AutomateWoo plugin <= 5.7.1 versions.
- risk 0.35cvss 5.4epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Product Recommendations plugin <= 2.3.0 versions.
- risk 0.34cvss 5.3epss 0.00
The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers…
- risk 0.34cvss 5.3epss 0.00
Missing Authorization vulnerability in ووکامرس فارسی Persian WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Persian WooCommerce: from n/a through 7.1.6.
- risk 0.31cvss 4.8epss 0.01
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.
- risk 0.29cvss 4.4epss 0.00
The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,…
- risk 0.28cvss 4.3epss 0.00
The Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1 via the xc_woo_printer_preview AJAX action due to missing validation on a user…
- risk 0.28cvss 4.3epss 0.00
The WooCommerce Tools plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the woocommerce_tool_toggle_module() function in all versions up to, and including, 1.2.9. This makes it possible for authenticated attackers, with…
- risk 0.28cvss 4.3epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.
- risk 0.27cvss 5.3epss 0.00
The Admin and Customer Messages After Order for WooCommerce: OrderConvo plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `get_order_by_id()` function in all versions up to, and including, 14. This makes it possible for…
- CVE-2021-32789Jul 26, 2021risk 0.07cvss —epss 0.17
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL,…
- CVE-2018-20782Feb 17, 2019risk 0.04cvss —epss 0.10
The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN messages.
- CVE-2023-0865Mar 20, 2023risk 0.01cvss —epss 0.01
The WooCommerce Multiple Customer Addresses & Shipping WordPress plugin before 21.7 does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as…
- CVE-2025-5062May 22, 2025risk 0.00cvss —epss 0.00
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for…
- CVE-2024-10563Feb 26, 2025risk 0.00cvss —epss 0.00
The WooCommerce Cart Count Shortcode WordPress plugin before 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored…
- CVE-2024-13792Feb 20, 2025risk 0.00cvss —epss 0.01
The WooCommerce Food - Restaurant Menu & Food ordering plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.3.2. This is due to the software allowing users to execute an action that does not properly validate a value before…
- CVE-2024-13694Jan 30, 2025risk 0.00cvss —epss 0.01
The WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.8.7 via the download_pdf_file() function due to missing validation on a…
- CVE-2024-10820Nov 13, 2024risk 0.00cvss —epss 0.01
The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 84.3. This makes it possible for unauthenticated attackers to upload arbitrary files…
- CVE-2024-10711Nov 5, 2024risk 0.00cvss —epss 0.00
The WooCommerce Report plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.1. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to…
- CVE-2024-9927Oct 23, 2024risk 0.00cvss —epss 0.00
The WooCommerce Order Proposal plugin for WordPress is vulnerable to privilege escalation via order proposal in all versions up to and including 2.0.5. This is due to the improper implementation of allow_payment_without_login function. This makes it possible for authenticated…
- CVE-2024-9944Oct 15, 2024risk 0.00cvss —epss 0.01
The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject…
- CVE-2022-3459Sep 14, 2024risk 0.00cvss —epss 0.00
The WooCommerce Multiple Free Gift plugin for WordPress is vulnerable to gift manipulation in all versions up to, and including, 1.2.3. This is due to plugin not enforcing server-side checks on the products that can be added as a gift. This makes it possible for unauthenticated…
- CVE-2024-7258Aug 23, 2024risk 0.00cvss —epss 0.01
The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wppfm_removeFeedFile' function in all versions up to, and including, 2.8.0. This makes it possible for authenticated attackers, with…
- CVE-2024-3983Aug 1, 2024risk 0.00cvss —epss 0.00
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks
- CVE-2023-35049Jun 19, 2024risk 0.00cvss —epss 0.01
Missing Authorization vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.4.0.
- CVE-2024-37297Jun 12, 2024risk 0.00cvss —epss 0.00
WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database,…
Page 1 of 2