Vulnerabilities and security researches forwoocommerce woocommerce

Direction: ascending

Jun 07, 2024

WooCommerce # CVE-2021-24323

CVE, Research URL: CVE-2021-24323
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: May 17, 2021
Research Description: When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled
Affected versions: max 5.2.0.
Status: vulnerable

WooCommerce # CVE-2020-29156

CVE, Research URL: CVE-2020-29156
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Dec 28, 2020
Research Description: The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
Affected versions: max 4.7.0.
Status: vulnerable

WooCommerce # CVE-2021-32790

CVE, Research URL: CVE-2021-32790
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 26, 2021
Research Description: Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.
Affected versions: max 6.6.0.
Status: vulnerable

WooCommerce # CVE-2016-10112

CVE, Research URL: CVE-2016-10112
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 04, 2017
Research Description: Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.
Affected versions: max 2.6.9.
Status: vulnerable

WooCommerce # CVE-2015-2069

CVE, Research URL: CVE-2015-2069
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 24, 2015
Research Description: Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.2.11 for WordPress allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING in the wc-reports page to wp-admin/admin.php.
Affected versions: max 2.2.11.
Status: vulnerable

WooCommerce # CVE-2017-18356

CVE, Research URL: CVE-2017-18356
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 15, 2019
Research Description: In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.
Affected versions: max 3.2.4.
Status: vulnerable

WooCommerce # CVE-2015-2329

CVE, Research URL: CVE-2015-2329
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 09, 2018
Research Description: Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order.
Affected versions: Min 2.3, max 2.3.5.
Status: vulnerable

WooCommerce # CVE-2018-20714

CVE, Research URL: CVE-2018-20714
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 15, 2019
Research Description: The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin.
Affected versions: max 3.4.6.
Status: vulnerable

WooCommerce # CVE-2017-17058

CVE, Research URL: CVE-2017-17058
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Nov 29, 2017
Research Description: The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traversal is not possible because all of the template files have "if (!defined('ABSPATH')) {exit;}" code
Affected versions: max 4.0.
Status: vulnerable

WooCommerce # CVE-2014-6313

CVE, Research URL: CVE-2014-6313
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Oct 14, 2014
Research Description: Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the range parameter on the wc-reports page to wp-admin/admin.php.
Affected versions: max 2.2.3.
Status: vulnerable

WooCommerce # CVE-2019-9168

CVE, Research URL: CVE-2019-9168
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 26, 2019
Research Description: WooCommerce before 3.5.5 allows XSS via a Photoswipe caption.
Affected versions: max 3.5.5.
Status: vulnerable

WooCommerce # CVE-2022-2099

CVE, Research URL: CVE-2022-2099
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 17, 2022
Research Description: The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles
Affected versions: Min 2.0.20, max 6.6.0.
Status: vulnerable

WooCommerce # CVE-2022-0775

CVE, Research URL: CVE-2022-0775
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 16, 2024
Research Description: The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
Affected versions: max 6.2.1.
Status: vulnerable

WooCommerce # CVE-2023-47777

CVE, Research URL: CVE-2023-47777
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Nov 30, 2023
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1.
Affected versions: max 8.2.0.
Status: vulnerable

WooCommerce # CVE-2023-52222

CVE, Research URL: CVE-2023-52222
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 09, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.
Affected versions: max 8.3.0.
Status: vulnerable

WooCommerce # CVE-2024-22155

CVE, Research URL: CVE-2024-22155
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Apr 07, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2.
Affected versions: max 8.6.0.
Status: vulnerable

WooCommerce # CVE-2024-1310

CVE, Research URL: CVE-2024-1310
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Apr 15, 2024
Research Description: The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products)
Affected versions: max 8.6.
Status: vulnerable

Jun 14, 2024

WooCommerce # CVE-2024-37297

CVE, Research URL: CVE-2024-37297
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jun 12, 2024
Research Description: WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.
Affected versions: max 8.9.3.
Status: vulnerable

Jun 30, 2024

WooCommerce # CVE-2024-35777

CVE, Research URL: CVE-2024-35777
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 09, 2024
Research Description: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2.
Affected versions: max 9.0.0.
Status: vulnerable

Aug 19, 2024

WooCommerce # CVE-2024-39666

CVE, Research URL: CVE-2024-39666
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Aug 18, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2.
Affected versions: max 9.1.3.
Status: vulnerable

Oct 15, 2024

WooCommerce # CVE-2024-9944

CVE, Research URL: CVE-2024-9944
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Oct 15, 2024
Research Description: The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.
Affected versions: max 9.1.0.
Status: vulnerable

Mar 26, 2025

WooCommerce # CVE-2025-26762

CVE, Research URL: CVE-2025-26762
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Mar 27, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 9.7.0.
Affected versions: max 9.7.1.
Status: vulnerable

May 30, 2025

WooCommerce # CVE-2025-5062

CVE, Research URL: CVE-2025-5062
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: May 22, 2025
Research Description: The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 9.3.4.
Status: vulnerable

Dec 09, 2025

WooCommerce # CVE-2025-49042

CVE, Research URL: CVE-2025-49042
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Oct 29, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 10.0.2.
Affected versions: max 10.0.3.
Status: vulnerable

Jan 27, 2026

WooCommerce # CVE-2025-15033

CVE, Research URL: CVE-2025-15033
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Dec 23, 2025
Research Description: A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.
Affected versions: max 10.4.3.
Status: vulnerable

Apr 13, 2026

WooCommerce # CVE-2026-3589

CVE, Research URL: CVE-2026-3589
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Mar 06, 2026
Research Description: The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Affected versions: max 10.5.3.
Status: vulnerable

Jun 16, 2026

WooCommerce # 7ff0b9435a94549e23225d1163a9592fdfb8e1b9

CVE, Research URL: 7ff0b9435a94549e23225d1163a9592fdfb8e1b9
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 23, 2022
Research Description: WooCommerce [woocommerce] < 6.2.1 WordPress WooCommerce plugin <= 6.2.0 - Arbitrary Comment Deletion vulnerability Arbitrary Comment Deletion vulnerability discovered in WordPress WooCommerce plugin (versions <= 6.2.0).
Affected versions: max 6.2.1.
Status: vulnerable

WooCommerce # 6ab7d4fa44f0eff509b12cc4ae5ae9923df385b4

CVE, Research URL: 6ab7d4fa44f0eff509b12cc4ae5ae9923df385b4
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Nov 06, 2020
Research Description: WooCommerce [woocommerce] < 4.6.2 WordPress WooCommerce plugin <= 4.6.1 - Guest Account Creation vulnerability Guest Account Creation vulnerability found in WordPress WooCommerce plugin (versions <= 4.6.1).
Affected versions: max 4.6.2.
Status: vulnerable

WooCommerce # 5649347acd519397ed92ba6eb281e90adb3d0c9a

CVE, Research URL: 5649347acd519397ed92ba6eb281e90adb3d0c9a
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 07, 2019
Research Description: WooCommerce [woocommerce] < 3.6.5 WordPress WooCommerce plugin <= 3.6.4 - Cross-Site Request Forgery (CSRF) vulnerability Cross-Site Request Forgery (CSRF) vulnerability found in WordPress WooCommerce plugin (versions <= 3.6.4).
Affected versions: max 3.6.5.
Status: vulnerable

WooCommerce # 66aea82791db33970a12e7f7d7e8125ef6ee9d30

CVE, Research URL: 66aea82791db33970a12e7f7d7e8125ef6ee9d30
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 15, 2021
Research Description: WooCommerce [woocommerce] < 5.5.1 WordPress WooCommerce plugin <= 5.5.0 - Unauthenticated SQL Injection (SQLi) vulnerability Unauthenticated SQL Injection (SQLi) vulnerability discovered in WordPress WooCommerce plugin (versions <= 5.5.0).
Affected versions: max 5.5.1.
Status: vulnerable

WooCommerce # ab4a39c1f4c6f48c4dd41a7c121d574503bc9707

CVE, Research URL: ab4a39c1f4c6f48c4dd41a7c121d574503bc9707
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Apr 29, 2021
Research Description: WooCommerce [woocommerce] < 5.2.0 WordPress WooCommerce plugin <= 5.1.0 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability Authenticated Persistent Cross-Site Scripting (XSS) vulnerability discovered by m0ze in WordPress WooCommerce plugin (versions <= 5.1.0).
Affected versions: max 5.2.0.
Status: vulnerable

WooCommerce # 7a219320d6ead92e02fde1f9b7c4a51feec217cc

CVE, Research URL: 7a219320d6ead92e02fde1f9b7c4a51feec217cc
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 23, 2022
Research Description: WooCommerce [woocommerce] < 6.2.1 WordPress WooCommerce plugin <= 6.2.0 - Path Traversal via Importers vulnerability Path Traversal via Importers vulnerability discovered in WordPress WooCommerce plugin (versions <= 6.2.0).
Affected versions: max 6.2.1.
Status: vulnerable

WooCommerce # 3d8ef05141df6232add605c1a5ee1ec2390d6a7d

CVE, Research URL: 3d8ef05141df6232add605c1a5ee1ec2390d6a7d
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Sep 22, 2021
Research Description: WooCommerce [woocommerce] < 5.7.0 WordPress WooCommerce plugin <= 5.6.0 - Analytics Report Leaks vulnerability Analytics Report Leaks vulnerability discovered in the WordPress WooCommerce plugin (versions <= 5.6.0).
Affected versions: max 5.7.0.
Status: vulnerable

WooCommerce # 7c1c4809008b686d1aa8e43a301747a5c1f09590

CVE, Research URL: 7c1c4809008b686d1aa8e43a301747a5c1f09590
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 07, 2019
Research Description: WooCommerce [woocommerce] < 3.5.1 WordPress WooCommerce plugin <= 3.5.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability Authenticated Stored Cross-Site Scripting (XSS) vulnerability found by Ripstech in WordPress WooCommerce plugin (versions <= 3.5.0).
Affected versions: max 3.5.1.
Status: vulnerable

WooCommerce # 695aa44ecdb912129467df2e622b85992bf865c1

CVE, Research URL: 695aa44ecdb912129467df2e622b85992bf865c1
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Mar 10, 2022
Research Description: WooCommerce [woocommerce] < 6.3.1 WordPress WooCommerce plugin <= 6.3.0 - Orders Status Change (via PayPal Standard Gateway) vulnerability Orders Status Change (via PayPal Standard Gateway) vulnerability discovered in WordPress WooCommerce plugin (versions <= 6.3.0).
Affected versions: max 6.3.1.
Status: vulnerable

WooCommerce # 2881ce043809d154cf85a5ac2008f864e22266e6

CVE, Research URL: 2881ce043809d154cf85a5ac2008f864e22266e6
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Nov 07, 2018
Research Description: WooCommerce [woocommerce] < 3.4.6 WordPress WooCommerce plugin <= 3.4.5 - Authenticated File Deletion to Privilege Escalation vulnerability Authenticated File Deletion to Privilege Escalation vulnerability found in WordPress WooCommerce plugin (versions <= 3.4.5).
Affected versions: max 3.4.6.
Status: vulnerable

WooCommerce # 7f16eef33696b69f02c41228a121f5ccc186784d

CVE, Research URL: 7f16eef33696b69f02c41228a121f5ccc186784d
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Oct 29, 2018
Research Description: WooCommerce [woocommerce] < 3.4.6 WordPress WooCommerce plugin <= 3.4.5 - Authenticated Object Injection vulnerability Authenticated Object Injection vulnerability found by Slavco in WordPress WooCommerce plugin (versions <= 3.4.5).
Affected versions: max 3.4.6.
Status: vulnerable

WooCommerce # 5fe4e02e4602ca1cad893a0b5dc7aa7e406d5397

CVE, Research URL: 5fe4e02e4602ca1cad893a0b5dc7aa7e406d5397
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jun 10, 2015
Research Description: WooCommerce [woocommerce] < 2.2.3 WordPress WooCommerce Plugin <= 2.1.12 - Reflected XSS Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
Affected versions: max 2.2.3.
Status: vulnerable

WooCommerce # 1bc232658a1604c77b378ca30b3df17139be674e

CVE, Research URL: 1bc232658a1604c77b378ca30b3df17139be674e
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: May 15, 2015
Research Description: WooCommerce [woocommerce] < 2.0.13 WordPress WooCommerce Plugin <= 2.0.12 - Cross Site Scripting This plugin is prone to a cross site scripting vulnerability via index.php calc_shipping_state parameter. Update the plugin.
Affected versions: max 2.0.13.
Status: vulnerable

WooCommerce # 3b50856e13c3ba90bb61eed52fe902192a1e7a96

CVE, Research URL: 3b50856e13c3ba90bb61eed52fe902192a1e7a96
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Apr 10, 2022
Research Description: WooCommerce [woocommerce] < 5.7.0 WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Information Disclosure The WooCommerce and WooCommerce Admin plugins for WordPress are vulnerable to Sensitive Data Exposure in versions up to 5.7.0 for WooCommerce and 2.6.4 for WooCommerce Admin due to insufficient protection of analytic report storage in the directory they are stored. This makes it possible for attackers to extract sensitive data related to report analytics on certain host configurations.
Affected versions: max 5.7.0.
Status: vulnerable

WooCommerce # 5e222706e0976f2c77ee775b6e408fb92415f933

CVE, Research URL: 5e222706e0976f2c77ee775b6e408fb92415f933
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Dec 11, 2018
Research Description: WooCommerce [woocommerce] < 3.4.6 WordPress WooCommerce plugin <= 3.4.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability Authenticated Stored Cross-Site Scripting (XSS) vulnerability found in WordPress WooCommerce plugin (versions <= 3.4.5).
Affected versions: max 3.4.6.
Status: vulnerable

WooCommerce # 3112a20e2a44be5d3b691aa2a82da1db9de1e571

CVE, Research URL: 3112a20e2a44be5d3b691aa2a82da1db9de1e571
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Sep 01, 2018
Research Description: WooCommerce [woocommerce] < 3.4.5 WordPress WooCommerce plugin <= 3.4.4 - Potential Object Injection vulnerability According to WooCommerce, versions, 3.4.4 and earlier are affected by an issue where a function that updates attributes could lead to object injection, related to the WordPress 4.8.3 security release.
Affected versions: max 3.4.5.
Status: vulnerable

WooCommerce # f53782e0528442b26d2e5c45e04bb136681afa7a

CVE, Research URL: f53782e0528442b26d2e5c45e04bb136681afa7a
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 20, 2016
Research Description: WooCommerce [woocommerce] < 2.6.3 WordPress WooCommerce Plugin <= 2.6.2 - Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
Affected versions: max 2.6.3.
Status: vulnerable

WooCommerce # f6faa6785aacc0dfbb7e3981ee6d74ab9ec9f46a

CVE, Research URL: f6faa6785aacc0dfbb7e3981ee6d74ab9ec9f46a
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 23, 2018
Research Description: WooCommerce [woocommerce] < 3.2.4 WordPress WooCommerce plugin <=3.2.3 - Authenticated PHP Object Injection vulnerability Authenticated PHP Object Injection vulnerability found in WordPress WooCommerce plugin (versions <=3.2.3).
Affected versions: max 3.2.4.
Status: vulnerable

WooCommerce # b1b1e3352eb42153da0dd29d5b6707d8061bb32e

CVE, Research URL: b1b1e3352eb42153da0dd29d5b6707d8061bb32e
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Sep 09, 2016
Research Description: WooCommerce [woocommerce] < 2.6.4 WordPress WooCommerce Plugin <= 2.6.3 - Cross Site Scripting This plugin is prone to stored cross site scripting vulnerability via REST API. Update the plugin.
Affected versions: max 2.6.4.
Status: vulnerable

WooCommerce # f4c49a0ee2d31ad566d2b0ed8897bdc9b93f2375

CVE, Research URL: f4c49a0ee2d31ad566d2b0ed8897bdc9b93f2375
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Nov 17, 2015
Research Description: WooCommerce [woocommerce] < 2.4.9 WordPress WooCommerce Plugin <= 2.4.8 - Cross Site Scripting Because of this vulnerability, the attackers can inject arbitrary JavaScript or HTML code. Update the plugin.
Affected versions: max 2.4.9.
Status: vulnerable

WooCommerce # 5b2ca17949da7cb03cc0cc5b53a342109291a86a

CVE, Research URL: 5b2ca17949da7cb03cc0cc5b53a342109291a86a
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jun 17, 2015
Research Description: WooCommerce [woocommerce] < 2.3.11 WordPress WooCommerce Plugin <= 2.3.10 - XXE This plugin has a PHP bug which allows to download critical files. Attacker can access to these files and compromise site. Update the plugin.
Affected versions: max 2.3.11.
Status: vulnerable

WooCommerce # f25e903f15df74bb85b2c464c4570f4f76adc511

CVE, Research URL: f25e903f15df74bb85b2c464c4570f4f76adc511
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: May 15, 2015
Research Description: WooCommerce [woocommerce] < 2.0.18 WordPress WooCommerce Plugin <= 2.0.17 - Reflected Cross Site Scripting his plugin is prone to a cross site scripting vulnerability via hide-wc-extensions-message parameter. Update the plugin.
Affected versions: max 2.0.18.
Status: vulnerable

WooCommerce # 0857b6b0161182ae366a0af377962535abbda70b

CVE, Research URL: 0857b6b0161182ae366a0af377962535abbda70b
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: May 15, 2015
Research Description: WooCommerce [woocommerce] < 2.3.6 WordPress WooCommerce Plugin <= 2.3.5 - SQL Injection Because of this vulnerability, remote authenticated users can execute arbitrary SQL commands. Update the plugin.
Affected versions: max 2.3.6.
Status: vulnerable

WooCommerce # 80a68530774593703176012db68a7eac310bda11

CVE, Research URL: 80a68530774593703176012db68a7eac310bda11
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jun 22, 2020
Research Description: WooCommerce [woocommerce] < 4.2.1 WooCommerce <= 4.2.0 - Reflected Cross-Site Scripting The WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to missing sanitization and escaping in SelectWoo, that makes it possible for attackers to inject arbitrary web scripts. This affects versions up to 4.2.1.
Affected versions: max 4.2.1.
Status: vulnerable

WooCommerce # e21a13453469f19cac1eb7a7f766765bbc255e7a

CVE, Research URL: e21a13453469f19cac1eb7a7f766765bbc255e7a
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 26, 2016
Research Description: WooCommerce [woocommerce] < 2.6.4 WooCommerce <= 2.6.3 - Stored Cross-Site Scripting via REST-API The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image uploader feature powered by the /wc-api/v3/products/categories/ REST-API in versions up to, and including, 2.6.3 due to insufficient filetype validation. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.6.4.
Status: vulnerable

WooCommerce # 373e4dc07c53895b3f6b848d829e17d55f724517

CVE, Research URL: 373e4dc07c53895b3f6b848d829e17d55f724517
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 22, 2022
Research Description: WooCommerce [woocommerce] < 6.2.1 WooCommerce <= 6.2.0 - Incorrect Authorization Checks on REST API Endpoints The WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an insufficient capability check on the /wc/v2/products/ REST API in versions up to, and including, 6.2.0. This makes it possible for authenticated attackers with minimal permissions such as a subscriber to delete, edit, and read arbitrary comments and reviews.
Affected versions: max 6.2.1.
Status: vulnerable

WooCommerce # 25cd2e5224ceb8e144c3f04665cc2bf060a3e253

CVE, Research URL: 25cd2e5224ceb8e144c3f04665cc2bf060a3e253
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Nov 17, 2015
Research Description: WooCommerce [woocommerce] < 2.4.9 WooCommerce < 2.4.9 - Cross-site Scripting The WooCommerce plugin for WordPress is vulnerable to Cross-Site Scripting via the pay_price() function, in versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator privileges to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.4.9.
Status: vulnerable

WooCommerce # 009a2c2d6d4a280f240576221c6d9c7773b1334a

CVE, Research URL: 009a2c2d6d4a280f240576221c6d9c7773b1334a
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 19, 2016
Research Description: WooCommerce [woocommerce] < 2.6.3 WooCommerce <= 2.6.2 - Stored Cross-Site Scripting The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image EXIF metadata in versions up to, and including, 2.6.2 due to insufficient validation on image files EXIF content. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.6.3.
Status: vulnerable

WooCommerce # dc9f67fb79cd640b3af080a3e4fdab2178e4d99b

CVE, Research URL: dc9f67fb79cd640b3af080a3e4fdab2178e4d99b
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Sep 17, 2014
Research Description: WooCommerce [woocommerce] < 2.2.3 WooCommerce <= 2.2.2 - Reflected Cross-Site Scripting The WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 2.2.3.
Status: vulnerable

WooCommerce # ba4bccfa530a3ac6256a47136d3933ddc904b019

CVE, Research URL: ba4bccfa530a3ac6256a47136d3933ddc904b019
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Mar 10, 2022
Research Description: WooCommerce [woocommerce] < 6.3.1 WooCommerce < 6.3.1 - Unauthorized Order Status Change The WooCommerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check and nonce check on the PayPal order updates functionality in versions up to, and including, 6.3.0. This makes it possible for authenticated attackers to change the status of arbitrary orders that have been created with PayPal.
Affected versions: max 6.3.1.
Status: vulnerable

WooCommerce # 1fed8fc807d0643ef7ecc5918431bdb4c18661c6

CVE, Research URL: 1fed8fc807d0643ef7ecc5918431bdb4c18661c6
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Feb 22, 2022
Research Description: WooCommerce [woocommerce] < 6.2.1 WooCommerce <= 6.2.0 - Path Traversal via Tax Importer The WooCommerce plugin for WordPress is vulnerable to path traversal via the 'file_url' parameter found in the importers functionality in versions up to, and including, 6.2.0. This makes it possible for authenticated attackers, with high-level permissions such as an administrator, to access files outside of the intended directory when performing an import.
Affected versions: max 6.2.1.
Status: vulnerable

WooCommerce # 41f3a783e71e811a10a0fb89757b2dfb043d2f4d

CVE, Research URL: 41f3a783e71e811a10a0fb89757b2dfb043d2f4d
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: May 05, 2020
Research Description: WooCommerce [woocommerce] < 4.1.0 WooCommerce <= 4.0.4 - Unauthorized Post Meta Creation/Modification The WooCommerce plugin for WordPress is vulnerable to arbitrary product meta data creation/overwriting due to a lack of escaping and validation on the post meta data being supplied during product duplication in versions up to, and including 4.0.4. This makes it possible for authenticated attackers, with product duplicating capabilities, to modify post meta that could potential be used to achieve remote code execution.
Affected versions: max 4.1.0.
Status: vulnerable

WooCommerce # 3893d977bae8486e98cea9c72c27da920233e509

CVE, Research URL: 3893d977bae8486e98cea9c72c27da920233e509
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Nov 29, 2018
Research Description: WooCommerce [woocommerce] < 3.5.2 WooCommerce <= 3.5.1 - Authenticated Stored Cross-Site Scripting The WooCommerce plugin for WordPress is vulnerable to Cross-Site Scripting due to sanitization and escaping on an unspecific variable, that makes it possible for attackers to inject arbitrary web scripts into pages. This affects versions up to 3.5.0, and can be exploited by users with write-access API keys.
Affected versions: max 3.5.2.
Status: vulnerable

WooCommerce # d4c98be7eeae0c6560670574afaf0aad8a9e2817

CVE, Research URL: d4c98be7eeae0c6560670574afaf0aad8a9e2817
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Aug 29, 2018
Research Description: WooCommerce [woocommerce] < 3.4.5 WooCommerce <= 3.4.4 - Authenticated PHP Object Injection The WooCommerce plugin for WordPress is vulnerable to PHP Object Injection by users with access to edit attributes in versions up to, and including 3.4.4.
Affected versions: max 3.4.5.
Status: vulnerable

WooCommerce # 7c89cd5e57fec6515bcfa76d45b6137ae3e03cad

CVE, Research URL: 7c89cd5e57fec6515bcfa76d45b6137ae3e03cad
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Nov 05, 2020
Research Description: WooCommerce [woocommerce] < 4.6.2 WooCommerce <= 4.6.1 & WooCommerce Blocks <= 3.7.0 - Settings Bypass leading to Account Creation The WooCommerce plugin for WordPress is vulnerable to unauthorized user account creation during checkout even when the “Allow customers to create an account during checkout” setting is disabled. was disabled due to missing authorization checks in versions up to and including 4.6.1. The WooCommerce Blocks plugin for WordPress is vulnerable to the same issue in versions up to, and including, 3.7.1.
Affected versions: max 4.6.2.
Status: vulnerable

WooCommerce # 900d393aa4a083f4816cf9d340f914404b688029

CVE, Research URL: 900d393aa4a083f4816cf9d340f914404b688029
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 02, 2019
Research Description: WooCommerce [woocommerce] < 3.6.5 WooCommerce <= 3.6.4 - Missing File Type Validation The WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads via the tax rate importer due to missing file type validation that made it possible for high level authenticated attackers to upload malicious files in versions up to, and including, 3.6.4.
Affected versions: max 3.6.5.
Status: vulnerable

WooCommerce # 58c79829f3eccd7753727255a909ba97e7640f85

CVE, Research URL: 58c79829f3eccd7753727255a909ba97e7640f85
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 02, 2019
Research Description: WooCommerce [woocommerce] < 3.6.5 WooCommerce <= 3.6.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting The WooCommerce plugin for WordPress is vulnerable to Cross-Site Request forgery in versions up to, and including 3.6.4, due to the CSV importer actions missing a nonce validation. This makes it possible for attackers with at least author privileges to embed script code in a CSV, upload it to the target site, and then trick an administrator into uploading the CSV injected payload to a product description via a forged request all granted they can trick them into performing an action such as clicking on a link.
Affected versions: max 3.6.5.
Status: vulnerable

WooCommerce # cc5950d49d73a8fb839b4f068605db20a073f9f6

CVE, Research URL: cc5950d49d73a8fb839b4f068605db20a073f9f6
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jun 10, 2015
Research Description: WooCommerce [woocommerce] >= 2.0.20 - <= 2.3.10 WooCommerce <= 2.3.10 - PHP Object Injection The WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.3.10 via deserialization of untrusted input from the $custom parameter. This allows authenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to exploit XXE and read sensitive files from the server.
Affected versions: Min 2.0.20, max 2.3.10.
Status: vulnerable

WooCommerce # 09ab0bd00e389d9747bae64db77b44ca10248598

CVE, Research URL: 09ab0bd00e389d9747bae64db77b44ca10248598
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Oct 17, 2013
Research Description: WooCommerce [woocommerce] < 2.0.18 WooCommerce <= 2.0.17 - Cross-Site Scripting The WooCommerce plugin for WordPress is vulnerable to Cross-Site Scripting in versions up to, and including, 2.0.17 via the 'hide-wc-extensions-message' parameter due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts that execute in a victim's browser session.
Affected versions: max 2.0.18.
Status: vulnerable

WooCommerce # 6f59b2c9-1466-4c83-8967-cc1bb9b07ea6

CVE, Research URL: 6f59b2c9-1466-4c83-8967-cc1bb9b07ea6
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 2.0.17 WooCommerce 2.0.17 - hide-wc-extensions-message Parameter Reflected XSS The WooCommerce WordPress plugin was affected by a hide-wc-extensions-message Parameter Reflected XSS security vulnerability.
Affected versions: max 2.0.17.
Status: vulnerable

WooCommerce # e938f544-d043-4831-888f-52d94e7c6c3d

CVE, Research URL: e938f544-d043-4831-888f-52d94e7c6c3d
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 4.1.0 WooCommerce < 4.1.0 - Unescaped Metadata when Duplicating Products The WooCommerce changelog file was updated with the following message: "Security – Fixed unescaped meta data while duplicating products. Reported by Slavco." We will update this issue with further information as it becomes available.
Affected versions: max 4.1.0.
Status: vulnerable

WooCommerce # 4760a717-3f2d-4491-bfb1-ae0754c3bda5

CVE, Research URL: 4760a717-3f2d-4491-bfb1-ae0754c3bda5
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 3.6.5 WooCommerce <= 3.6.4 - Cross-Site Request Forgery (CSRF) & File Type Check Changelog mentions: Security – Introduce file type check for tax rate importer. Security – Added nonce check to CSV importer actions. RIPS Tech later released an advisory detailing the vulnerability, which can be found in the references.
Affected versions: max 3.6.5.
Status: vulnerable

WooCommerce # 446d5271-c32a-4298-be0d-8e2f60681a71

CVE, Research URL: 446d5271-c32a-4298-be0d-8e2f60681a71
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 3.5.1 WooCommerce <= 3.5.0 - Authenticated Stored XSS The WooCommerce WordPress plugin was affected by an Authenticated Stored XSS security vulnerability.
Affected versions: max 3.5.1.
Status: vulnerable

WooCommerce # 9567f575-529d-4d66-980c-73cba6726673

CVE, Research URL: 9567f575-529d-4d66-980c-73cba6726673
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 3.4.6 WooCommerce <= 3.4.5 - Authenticated Phar Deserialization The WooCommerce WordPress plugin was affected by an Authenticated Phar Deserialization security vulnerability.
Affected versions: max 3.4.6.
Status: vulnerable

WooCommerce # 6f1ecd1e-5363-44df-b9c7-a67dc9398261

CVE, Research URL: 6f1ecd1e-5363-44df-b9c7-a67dc9398261
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 5.7.0 WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Analytics Report Leaks The plugin was vulnerable to Analytics Report Leaks on some hosting configurations. As well as updating WooCommerce to at least version 5.7.0, and WooCommerce Admin to at least version 2.6.4, it is also recommended that directory listing is disabled on your host. Automattic updates were rolled out to force the vulnerable plugins to be updated and patched.
Affected versions: max 5.7.0.
Status: vulnerable

WooCommerce # bdda03d0-d657-4e12-8996-40152194c607

CVE, Research URL: bdda03d0-d657-4e12-8996-40152194c607
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 6.2.1 WooCommerce < 6.3.1 - Orders Marked as Paid (via PayPal Standard Gateway) The PayPal Standard payment gateway (deprecated since July 2021) of the plugin could allow attackers to mark an order as paid without actually making a payment, when PDT is enabled.
Affected versions: max 6.2.1.
Status: vulnerable

WooCommerce # 29ec75461f36da3f29ade02f2341bf0adfbb5d3c

CVE, Research URL: 29ec75461f36da3f29ade02f2341bf0adfbb5d3c
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jul 18, 2013
Research Description: WooCommerce [woocommerce] < 2.0.13 WooCommerce <= 2.0.12 - Self-Reflected Cross-Site Scripting The WooCommerce plugin for WordPress is vulnerable to Self-Reflected Cross-Site Scripting in versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.0.13.
Status: vulnerable

WooCommerce # a2cc949c-838f-4e47-9ee8-07e3fb3cb049

CVE, Research URL: a2cc949c-838f-4e47-9ee8-07e3fb3cb049
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 2.2.3 WooCommerce <= 2.1.12 - Reflected Cross-Site Scripting (XSS) The WooCommerce WordPress plugin was affected by a Reflected Cross-Site Scripting (XSS) security vulnerability.
Affected versions: max 2.2.3.
Status: vulnerable

WooCommerce # 05600919-3d11-4539-8850-3ac8fc6fe5a9

CVE, Research URL: 05600919-3d11-4539-8850-3ac8fc6fe5a9
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 2.0.13 WooCommerce 2.0.12 - index.php calc_shipping_state Parameter XSS The WooCommerce WordPress plugin was affected by an index.php calc_shipping_state Parameter XSS security vulnerability.
Affected versions: max 2.0.13.
Status: vulnerable

WooCommerce # 26e169da-4020-4b3d-8bee-af01bd853791

CVE, Research URL: 26e169da-4020-4b3d-8bee-af01bd853791
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 5.7.0 WooCommerce < 6.2.1 - Path Traversal via Importers The plugin does not properly check for path traversal when importing tax rates. There are limited details at this stage and this advisory will be updated later on
Affected versions: max 5.7.0.
Status: vulnerable

WooCommerce # 3f3094ed-23ea-4bfb-847a-d06d8a7e7cee

CVE, Research URL: 3f3094ed-23ea-4bfb-847a-d06d8a7e7cee
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 4.6.2 WooCommerce < 4.6.2 - Guest Account Creation Versions of WooCommerce prior to 4.6.2 contain a vulnerability that allows guest users to create accounts during checkout even when the "Allow customers to create an account during checkout" setting is disabled. This vulnerability is being exploited by a bot to place spam orders and create user accounts that are then used to probe for vulnerabilities in other plugins on the site.
Affected versions: max 4.6.2.
Status: vulnerable

WooCommerce # 8dac6eec-6573-4de0-b37f-ff09834c50bd

CVE, Research URL: 8dac6eec-6573-4de0-b37f-ff09834c50bd
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 4.2.1 WooCommerce < 4.2.1 - Potential Cross-Site Scripting (XSS) via SelectWoo A DOM based Cross-Site Scripting (XSS) vulnerability was found to affect the SelectWoo dependency that WooCommerce used. SelectWoo replaces the standard <select> box in web browsers.
Affected versions: max 4.2.1.
Status: vulnerable

WooCommerce # 39988889-a8f4-4434-a9e9-598f926cf0b0

CVE, Research URL: 39988889-a8f4-4434-a9e9-598f926cf0b0
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 2.6.3 WooCommerce <= 2.6.2 - Authenticated Cross-Site Scripting (XSS) The WooCommerce WordPress plugin was affected by an Authenticated Cross-Site Scripting (XSS) security vulnerability.
Affected versions: max 2.6.3.
Status: vulnerable

WooCommerce # b9af34f0-9012-41a1-870b-89d4e5d2eb27

CVE, Research URL: b9af34f0-9012-41a1-870b-89d4e5d2eb27
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 3.4.6 WooCommerce <= 3.4.5 - Authenticated Object Injection According to WooCommerce: "Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions. These issues can be exploited by users with Shop Manager capabilities or greater, and we recommend all users running WooCommerce 3.x upgrade to 3.4.6 to mitigate them. Thanks to Simon Scannell, Karim, and Slavco for reporting the issues." See references for PoC and further technical details.
Affected versions: max 3.4.6.
Status: vulnerable

WooCommerce # d4f7dff0-7391-4448-95dd-327f0803a9b8

CVE, Research URL: d4f7dff0-7391-4448-95dd-327f0803a9b8
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 2.6.4 WooCommerce <= 2.6.3 - Stored Cross Site Scripting (XSS) via REST API The WooCommerce WordPress plugin was affected by a Stored Cross Site Scripting (XSS) via REST API security vulnerability.
Affected versions: max 2.6.4.
Status: vulnerable

WooCommerce # b0761276-0a27-4a9b-96ff-faf751a5e77a

CVE, Research URL: b0761276-0a27-4a9b-96ff-faf751a5e77a
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 2.4.9 WooCommerce <= 2.4.8 - Authenticated Cross-Site Scripting (XSS) The WooCommerce WordPress plugin was affected by an Authenticated Cross-Site Scripting (XSS) security vulnerability.
Affected versions: max 2.4.9.
Status: vulnerable

WooCommerce # 16b2bce4324d02147ad3d27b2c123adf5207626d

CVE, Research URL: 16b2bce4324d02147ad3d27b2c123adf5207626d
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Sep 11, 2023
Research Description: WooCommerce [woocommerce] < 7.0.1 WooCommerce <= 7.0.0 - Authenticated(Shop Manager+) Sensitive Information Exposure The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.0. This can allow authenticated attackers with Shop Manager privileges or above to extract sensitive user metadata including session tokens.
Affected versions: max 7.0.1.
Status: vulnerable

WooCommerce # 45f56af8-b238-41a5-b7d5-bd40982d5ed7

CVE, Research URL: 45f56af8-b238-41a5-b7d5-bd40982d5ed7
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 7.0.1 WooCommerce < 7.0.1 - Authenticated(Shop Manager+) Sensitive Information Exposure The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.0. This can allow authenticated attackers with Shop Manager privileges or above to extract sensitive user metadata including session tokens.
Affected versions: max 7.0.1.
Status: vulnerable

WooCommerce # 9c9498b0-d42e-4ce0-b299-ba5d08058a75

CVE, Research URL: 9c9498b0-d42e-4ce0-b299-ba5d08058a75
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 7.9.0 WooCommerce < 7.9.0 - Sensitive Information Exposure The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information).
Affected versions: max 7.9.0.
Status: vulnerable

WooCommerce # 7275a176-d579-471a-8492-df8edbdf27de

CVE, Research URL: 7275a176-d579-471a-8492-df8edbdf27de
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 3.4.6 WooCommerce <= 3.4.5 - Authenticated Stored XSS The WooCommerce WordPress plugin was affected by an Authenticated Stored XSS security vulnerability.
Affected versions: max 3.4.6.
Status: vulnerable

WooCommerce # 9d4d6f49-5e02-4424-860e-f41453c9d7cf

CVE, Research URL: 9d4d6f49-5e02-4424-860e-f41453c9d7cf
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 2.3.11 WooCommerce 2.0.20-2.3.10 - Object Injection / XXE According to the researcher: The vulnerability is only present when WooCommerce’s "PayPal Identity Token" option is set.
Affected versions: max 2.3.11.
Status: vulnerable

WooCommerce # 129632aede1886afc5c1c92626e2b0cf79dcda18

CVE, Research URL: 129632aede1886afc5c1c92626e2b0cf79dcda18
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Sep 11, 2023
Research Description: WooCommerce [woocommerce] < 7.9.0 WooCommerce <= 7.8.2 - Sensitive Information Exposure The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information).
Affected versions: max 7.9.0.
Status: vulnerable

WooCommerce # bb9f355a-be33-41b1-af36-0a30c24bec8c

CVE, Research URL: bb9f355a-be33-41b1-af36-0a30c24bec8c
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 7.0.1 WooCommerce < 7.0.1 - Shop Manager+ User Metadata Disclosure The plugin returns all user metadata via an AJAX action, which could allow users with a role as low as Shop Manager to access an arbitrary user's metadata which could include tokens and other potentially sensitive data
Affected versions: max 7.0.1.
Status: vulnerable

WooCommerce # d1cec296-b5df-4cea-8c0d-d03a975cb6af

CVE, Research URL: d1cec296-b5df-4cea-8c0d-d03a975cb6af
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 7.9 WooCommerce < 7.9 - Unauthenticated Sensitive Information Disclosure The plugin does not properly apply CORS on some of its API endpoints, allowing attackers to leak customers PII information.
Affected versions: max 7.9.
Status: vulnerable

WooCommerce # 13a534b4-97bd-48e1-b936-cc57c9c56396

CVE, Research URL: 13a534b4-97bd-48e1-b936-cc57c9c56396
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 3.4.5 WooCommerce <= 3.4.4 - Potential Object Injection According to WooCommerce: "Versions 3.4.4 and earlier are affected by an issue where a function that updates attributes could lead to object injection. This is related to the WordPress 4.8.3 security release. This issue can only be exploited by users who can edit attributes and should not be possible to exploit through the WordPress administrative screens, but we still recommend all users running WooCommerce 3.x upgrade to 3.4.5 to mitigate this issue. Thanks to slavco for responsibly disclosing the vulnerability to us."
Affected versions: max 3.4.5.
Status: vulnerable

WooCommerce # d448b9d0999c662b17a6b5ecdc1b92699265a68c

CVE, Research URL: d448b9d0999c662b17a6b5ecdc1b92699265a68c
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Dec 04, 2024
Research Description: WooCommerce [woocommerce] < 9.4.3 WordPress WooCommerce Plugin < 9.4.3 is vulnerable to Broken Access Control WordPress WooCommerce Plugin < 9.4.3 is vulnerable to Broken Access ControlSoftware: WooCommerceFixed in version 9.4.3 Affected Version < 9.4.3
Affected versions: max 9.4.3.
Status: vulnerable

WooCommerce # 49c085a4182d94ecc142c402c76481462b949a87

CVE, Research URL: 49c085a4182d94ecc142c402c76481462b949a87
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 8.4.0 WordPress WooCommerce Plugin <= 8.3.0 is vulnerable to Cross Site Scripting (XSS) Update the WordPress WooCommerce plugin to the latest available version (at least 8.4.0). An unknown person discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress WooCommerce Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 8.4.0. Have additional information or questions about this entry? Get in touch.
Affected versions: max 8.4.0.
Status: vulnerable

WooCommerce # bb053f3c24afaa2cf4bc50ebf0e88d8b6f601d08

CVE, Research URL: bb053f3c24afaa2cf4bc50ebf0e88d8b6f601d08
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jan 12, 2024
Research Description: WooCommerce [woocommerce] < 8.4.0 WooCommerce < 8.4.0 - Reflected Cross-Site Scripting The WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions before 8.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. IMPORTANT: There was a miscommunication and error in this vulnerability record where we initially reported version 8.5.0 as patched, while 8.4.0 was still vulnerable. This issue was patched in version 8.4.0 and only affects versions up to 8.3.0. Please rest assured knowing you can update the plugin to version 8.4.0 and this issue will be patched.
Affected versions: max 8.4.0.
Status: vulnerable

WooCommerce # 5619e13f0d284b547a86dfa0340848e80577103b

CVE, Research URL: 5619e13f0d284b547a86dfa0340848e80577103b
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: Jun 11, 2024
Research Description: WooCommerce [woocommerce] < 8.9.3 WordPress WooCommerce Plugin <= 8.9.2 is vulnerable to Cross Site Scripting (XSS) WordPress WooCommerce Plugin <= 8.9.2 is vulnerable to Cross Site Scripting (XSS)Software: WooCommerceLink: https://wordpress.org/plugins/woocommerce/#developersAffected Version <= 8.9.2Fixed in version 8.9.3
Affected versions: max 8.9.3.
Status: vulnerable

WooCommerce # 0b51f01a-24d9-4101-bdcf-728b21efc5ed

CVE, Research URL: 0b51f01a-24d9-4101-bdcf-728b21efc5ed
Home page URL: Security reports for WooCommerce
Application: WooCommerce
Date: -
Research Description: WooCommerce [woocommerce] < 8.4.0 WooCommerce < 8.4.0 - Reflected Cross-Site Scripting The plugin does not properly sanitize user-input provided by the add_query_arg() function when echoed back into JavaScript code context.
Affected versions: max 8.4.0.
Status: vulnerable