Vulnerabilities and security researches forwpify-woo wpify-woo

Jun 07, 2024

CVE, Research URL: CVE-2024-1492
Home page URL: Security reports for WPify Woo Czech
Application: WPify Woo Czech
Date: Feb 29, 2024
Research Description: The WPify Woo Czech plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the maybe_send_to_packeta function in all versions up to, and including, 4.0.8. This makes it possible for unauthenticated attackers to obtain shipping details for orders as long as the order number is known.
Affected versions: max 4.0.9.
Status: vulnerable

CVE, Research URL: CVE-2024-33946
Home page URL: Security reports for WPify Woo Czech
Application: WPify Woo Czech
Date: May 03, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPify s.R.O. WPify Woo Czech allows Reflected XSS.This issue affects WPify Woo Czech: from n/a through 4.0.10.
Affected versions: max 4.0.11.
Status: vulnerable

CVE, Research URL: bc55394b017086e53b0cb63fd50999068584c472
Home page URL: Security reports for WPify Woo Czech
Application: WPify Woo Czech
Date: May 16, 2022
Research Description: WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce [wpify-woo] < 3.5.7 WordPress WPify Woo Czech plugin <= 3.5.6 - Reflected Cross-Site Scripting (XSS) vulnerability Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress WPify Woo Czech plugin (versions <= 3.5.6). Update the WordPress WPify Woo Czech plugin to the latest available version (at least 3.5.7).
Affected versions: max 3.5.7.
Status: vulnerable

May 30, 2026

CVE, Research URL: CVE-2026-42748
Home page URL: Security reports for WPify Woo Czech
Application: WPify Woo Czech
Date: May 27, 2026
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through <= 5.4.1.
Affected versions: max 5.4.2.
Status: vulnerable

Jun 16, 2026

CVE, Research URL: bf3ea78681ccb672f188e5175ccf36ef8160eb18
Home page URL: Security reports for WPify Woo Czech
Application: WPify Woo Czech
Date: May 16, 2022
Research Description: WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce [wpify-woo] < 3.5.7 WPify Woo Czech <= 3.5.6 - Reflected Cross-Site Scripting The WPify Woo Czech plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of '$_SERVER['PHP_SELF']' with insufficient input sanitization and output escaping in versions up to, and including, 3.5.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 3.5.7.
Status: vulnerable

CVE, Research URL: 5c66c32b-22f2-4b59-a6b2-b8da944cdc3c
Home page URL: Security reports for WPify Woo Czech
Application: WPify Woo Czech
Date: -
Research Description: WPify Woo – Withdrawal, CRN/VAT, QR payments, Heureka and more for WooCommerce [wpify-woo] < 3.5.7 WPify Woo Czech < 3.5.7 - Reflected Cross-Site Scripting (XSS) The plugin uses the Vies library v2.2.0, which has a sample file outputting $_SERVER['PHP_SELF'] in an attribute without being escaped first, leading to a Reflected Cross-Site Scripting. The issue is only exploitable when the web server has the PDO driver installed, and write access to the example directory (otherwise an exception will be raised before the payload is output).
Affected versions: max 3.5.7.
Status: vulnerable