Lucene search
+L

3520 matches found

nuclei
nuclei
added yesterday35 views

Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update

YIKES Inc. Custom Product Tabs for WooCommerce plugin \u003C= 1.7.7 contains a broken access control caused by improper permission checks in &yikes-the-content-toggle option update, letting attackers modify content without authorization. id: CVE-2022-28666 info: name: Custom Product Tabs for...

5.3CVSS6.2AI score0.01226EPSS
Exploits1References1
nuclei
nuclei
added yesterday35 views

WordPress OrderConvo < 14 - Path Traversal

WooCommerce OrderConvo WordPress plugin \u003C 14 contains a path traversal vulnerability caused by improper validation of file download paths, letting unauthenticated attackers read or download arbitrary files remotely id: CVE-2025-10162 info: name: WordPress OrderConvo 14 - Path Traversal autho...

7.5CVSS6.2AI score0.03632EPSS
Exploits4References3
nuclei
nuclei
added yesterday16 views

Hippoo Mobile App for WooCommerce <= 1.9.4 - Authentication Bypass to Admin Account Takeover

Hippoo Mobile App for WooCommerce WordPress plugin = 1.9.4 contains an authentication bypass caused by logic conflation in user permission checks, letting unauthenticated attackers take over administrator accounts via REST API password reset. id: CVE-2026-10580 info: name: Hippoo Mobile App for...

9.8CVSS6.1AI score0.02841EPSS
Exploits1References2
nuclei
nuclei
added yesterday20 views

WCAPF WooCommerce Ajax Product Filter - SQL Injection

WCAPF WooCommerce Ajax Product Filter = 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely. id: CVE-2026-3396 info: name: WCAPF WooCommerce Ajax Product Filter ...

7.5CVSS6.1AI score0.01473EPSS
Exploits0References2
euvd
euvd
added yesterday8 views

EUVD-2026-44902

The SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rowtype' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it...

4.4CVSS6.2AI score0.00208EPSS
Exploits0References8
nvd
nvd
added yesterday7 views

CVE-2026-12585

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is...

8.1CVSS0.00136EPSS
Exploits0References1
nvd
nvd
added yesterday5 views

CVE-2026-12684

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files bounded to an image a...

6.5CVSS0.00191EPSS
Exploits0References1
nvd
nvd
added yesterday6 views

CVE-2026-12492

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well ...

9.8CVSS0.00149EPSS
Exploits0References1
euvd
euvd
added yesterday6 views

EUVD-2026-44877

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files bounded to an image a...

6.5CVSS6.1AI score0.00191EPSS
Exploits0References1
cvelist
cvelist
added yesterday23 views

CVE-2026-12585 Abandoned Cart Lite for WooCommerce < 6.8.2 - Unauthenticated Account Takeover via Malleable Recovery-Link Token

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is...

0.00136EPSS
Exploits0References1
cvelist
cvelist
added yesterday18 views

CVE-2026-12492 Happy Coders OTP Login for WooCommerce < 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well ...

0.00149EPSS
Exploits0References1
euvd
euvd
added yesterday6 views

EUVD-2026-44876

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is...

8.1CVSS6.1AI score0.00136EPSS
Exploits0References1
cve
cve
added yesterday11 views

CVE-2026-12492

The CVE-2026-12492 entry concerns the Happy Coders OTP Login for WooCommerce WordPress plugin prior to 2.8. The root cause is that the plugin does not verify that a One-Time Password was actually validated before authenticating a user based on a provided identifier. This enables unauthenticated a...

9.8CVSS6.1AI score0.00149EPSS
Exploits0References1
cve
cve
added yesterday14 views

CVE-2026-12585

The CVE-2026-12585 describes a vulnerability in the Abandoned Cart Lite for WooCommerce WordPress plugin (versions before 6.8.2). The root cause is failure to protect the integrity of cart-recovery tokens and failure to bind them to the requesting account, enabling unauthenticated attackers to fo...

8.1CVSS6.1AI score0.00136EPSS
Exploits0References1
nvd
nvd
added yesterday6 views

CVE-2026-15306

The Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 's' Search Parameter in all versions up to, and including, 7.6.1 due to insufficient input sanitization and output escaping. This makes it possible...

6.1CVSS0.00215EPSS
Exploits0References6
nvd
nvd
added yesterday9 views

CVE-2026-12753

The Advance Product Search- Voice & Ajax Search for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 's' and 'match' parameter in all versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation ...

7.5CVSS0.00304EPSS
Exploits0References5
cvelist
cvelist
added yesterday21 views

CVE-2026-15306 Product Feed Manager For WooCommerce <= 7.6.1 - Reflected Cross-Site Scripting via 's' Search Parameter

The Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 's' Search Parameter in all versions up to, and including, 7.6.1 due to insufficient input sanitization and output escaping. This makes it possible...

6.1CVSS0.00215EPSS
Exploits0References6
cve
cve
added yesterday10 views

CVE-2026-12753

The CVE-2026-12753 entry concerns the WordPress plugin “Advance Product Search- Voice & Ajax Search for WooCommerce” and its insecure handling of user input in the parameters 's' and 'match'. Affected versions are up to and including 1.4.4. The root cause is insufficient escaping and lack of prop...

7.5CVSS6.1AI score0.00304EPSS
Exploits0References5
nvd
nvd
added 4 days ago4 views

CVE-2026-57773

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Zorem Advanced Shipment Tracking for WooCommerce woo-advanced-shipment-tracking allows Blind SQL Injection.This issue affects Advanced Shipment Tracking for WooCommerce: from n/a through = 4.0...

7.6CVSS0.00372EPSS
Exploits0References1
nvd
nvd
added 4 days ago3 views

CVE-2026-57404

Missing Authorization vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking and Rental Manager: from n/a through = 2.6.9...

6.5CVSS0.00242EPSS
Exploits0References1
Rows per page
Query Builder