CVE-2025-5720 Customer Reviews for WooCommerce <= 5.80.2 - Unauthenticated Stored Cross-Site Scripting via `author` Parameter

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author’ parameter in all versions up to, and including, 5.80.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

WordPress WooCommerce Photo Reviews plugin <= 1.3.13 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Seb in WordPress Plugin WooCommerce Photo Reviews versions = 1.3.13...

CVE-2025-48251

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPFactory Additional Custom Emails & Recipients for WooCommerce custom-emails-for-woocommerce allows Stored XSS.This issue affects Additional Custom Emails & Recipients for WooCommerce: from n/a...

PT-2025-17036 · Unknown · Bitsstech Shipment Tracker For Woocommerce

Name of the Vulnerable Software and Affected Versions: bitsstech Shipment Tracker for Woocommerce versions 1.4.23 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Reflected XSS. This means an...

CVE-2025-26888 WordPress WooCommerce Multilingual & Multicurrency plugin <= 5.3.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in Amir Helzer WooCommerce Multilingual & Multicurrency woocommerce-multilingual allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through = 5.3.8...

CVE-2024-13513

CVE-2024-13513 affects the Oliver POS – a WooCommerce WordPress plugin, with Sensitive Information Exposure via the plugin’s logging functionality in versions up to 2.4.2.3. Unauthenticated attackers could extract sensitive data (e.g., clientToken) from logs, enabling changes to user account info...

CVE-2024-13341 MultiLoca - WooCommerce Multi Locations Inventory Management <= 4.1.11 - Authenticated (Subscriber+) SQL Injection

The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to SQL Injection via the 'data-id' parameter in all versions up to, and including, 4.1.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2025-24551

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in oneteamsoftware Radio Buttons and Swatches for WooCommerce variations-radio-buttons-for-woocommerce allows Reflected XSS.This issue affects Radio Buttons and Swatches for WooCommerce: from n/a...

CVE-2024-12266

CVE-2024-12266 affects the ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress. The Red Hat advisory confirms a missing capability check in the functions elex_dp_export_rules() and elex_dp_import_rules() across all versions up to and including 2.1.7, enabling unauthenticated attac...