Vulnerabilities and security researches forwoocommerce woocommerce

Direction: ascending

Jun 07, 2024

WooCommerce # CVE-2021-24323

CVE, Research URL: CVE-2021-24323
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: May 17, 2021
Research Description: When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2020-29156

CVE, Research URL: CVE-2020-29156
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Dec 28, 2020
Research Description: The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2021-32790

CVE, Research URL: CVE-2021-32790
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 26, 2021
Research Description: Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2016-10112

CVE, Research URL: CVE-2016-10112
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 04, 2017
Research Description: Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2015-2069

CVE, Research URL: CVE-2015-2069
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 24, 2015
Research Description: Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.2.11 for WordPress allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING in the wc-reports page to wp-admin/admin.php.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2017-18356

CVE, Research URL: CVE-2017-18356
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 15, 2019
Research Description: In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2015-2329

CVE, Research URL: CVE-2015-2329
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 09, 2018
Research Description: Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2018-20714

CVE, Research URL: CVE-2018-20714
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 15, 2019
Research Description: The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2017-17058

CVE, Research URL: CVE-2017-17058
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Nov 29, 2017
Research Description: The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traversal is not possible because all of the template files have "if (!defined('ABSPATH')) {exit;}" code
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2014-6313

CVE, Research URL: CVE-2014-6313
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Oct 14, 2014
Research Description: Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the range parameter on the wc-reports page to wp-admin/admin.php.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2019-9168

CVE, Research URL: CVE-2019-9168
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 26, 2019
Research Description: WooCommerce before 3.5.5 allows XSS via a Photoswipe caption.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2022-2099

CVE, Research URL: CVE-2022-2099
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 17, 2022
Research Description: The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2022-0775

CVE, Research URL: CVE-2022-0775
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 16, 2024
Research Description: The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2023-47777

CVE, Research URL: CVE-2023-47777
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Nov 30, 2023
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2023-52222

CVE, Research URL: CVE-2023-52222
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 09, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2024-22155

CVE, Research URL: CVE-2024-22155
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Apr 07, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2.
Affected versions: Min -, max -.
Status: vulnerable

WooCommerce # CVE-2024-1310

CVE, Research URL: CVE-2024-1310
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Apr 15, 2024
Research Description: The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products)
Affected versions: Min -, max -.
Status: vulnerable

Jun 14, 2024

WooCommerce # CVE-2024-37297

CVE, Research URL: CVE-2024-37297
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jun 12, 2024
Research Description: WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.
Affected versions: Min -, max -.
Status: vulnerable

Jun 30, 2024

WooCommerce # CVE-2024-35777

CVE, Research URL: CVE-2024-35777
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 09, 2024
Research Description: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2.
Affected versions: Min -, max -.
Status: vulnerable

Aug 19, 2024

WooCommerce # CVE-2024-39666

CVE, Research URL: CVE-2024-39666
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Aug 18, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2.
Affected versions: Min -, max -.
Status: vulnerable

Oct 15, 2024

WooCommerce # CVE-2024-9944

CVE, Research URL: CVE-2024-9944
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Oct 15, 2024
Research Description: The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.
Affected versions: Min -, max -.
Status: vulnerable

Mar 26, 2025

WooCommerce # CVE-2025-26762

CVE, Research URL: CVE-2025-26762
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Mar 27, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 9.7.0.
Affected versions: Min -, max -.
Status: vulnerable

May 30, 2025

WooCommerce # CVE-2025-5062

CVE, Research URL: CVE-2025-5062
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: May 22, 2025
Research Description: The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable