Lucene search
K

3463 matches found

Cvelist
Cvelist
added yesterday13 views

CVE-2026-12936 Recurio <= 1.1.3 - Authenticated (Shop Manager+) SQL Injection via 'data' Parameter

The Recurio – Ultimate Subscription for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

4.9CVSS
Exploits0References4
NVD
NVD
added yesterday6 views

CVE-2026-14500

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouwfetchcsvdata AJAX handler being registered on the wpajaxnopriv hook with no capability or nonce check, and passing the attacker-supplied...

5.3CVSS0.00333EPSS
Exploits0References4
EUVD
EUVD
added yesterday5 views

EUVD-2026-42175

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouwfetchcsvdata AJAX handler being registered on the wpajaxnopriv hook with no capability or nonce check, and passing the attacker-supplied...

5.3CVSS6.1AI score0.00333EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday16 views

Hippoo Mobile App for WooCommerce <= 1.9.4 - Authentication Bypass to Admin Account Takeover

Hippoo Mobile App for WooCommerce WordPress plugin = 1.9.4 contains an authentication bypass caused by logic conflation in user permission checks, letting unauthenticated attackers take over administrator accounts via REST API password reset. id: CVE-2026-10580 info: name: Hippoo Mobile App for...

9.8CVSS5.9AI score0.02841EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday18 views

WCAPF WooCommerce Ajax Product Filter - SQL Injection

WCAPF WooCommerce Ajax Product Filter = 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely. id: CVE-2026-3396 info: name: WCAPF WooCommerce Ajax Product Filter ...

7.5CVSS6AI score0.01473EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday31 views

WordPress OrderConvo < 14 - Path Traversal

WooCommerce OrderConvo WordPress plugin \u003C 14 contains a path traversal vulnerability caused by improper validation of file download paths, letting unauthenticated attackers read or download arbitrary files remotely id: CVE-2025-10162 info: name: WordPress OrderConvo 14 - Path Traversal autho...

7.5CVSS6AI score0.03632EPSS
Exploits4References3
Nuclei
Nuclei
added yesterday33 views

Custom Product Tabs for WooCommerce < 1.7.8 - Unauthenticated Toggle Content Setting Update

YIKES Inc. Custom Product Tabs for WooCommerce plugin \u003C= 1.7.7 contains a broken access control caused by improper permission checks in &yikes-the-content-toggle option update, letting attackers modify content without authorization. id: CVE-2022-28666 info: name: Custom Product Tabs for...

5.3CVSS6.1AI score0.01226EPSS
Exploits1References1
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-42009

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values...

9.8CVSS6.3AI score0.00745EPSS
Exploits0References11
Patchstack
Patchstack
added 3 days ago5 views

WordPress AR for WooCommerce plugin <= 8.40 - Unauthenticated Path Traversal to Arbitrary File Read vulnerability

Unauthenticated Path Traversal to Arbitrary File Read vulnerability discovered by CHOIGYEONGMIN in WordPress Plugin AR For Woocommerce versions = 8.40...

7.5CVSS5.9AI score0.00473EPSS
Exploits0References1Affected Software1
NVD
NVD
added 6 days ago7 views

CVE-2026-11778

The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value...

5.4CVSS0.00255EPSS
Exploits0References4
Cvelist
Cvelist
added 6 days ago35 views

CVE-2026-11778 CURCY <= 2.2.14 - Unauthenticated Arbitrary Shortcode Execution via 'exchange' Parameter

The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value...

5.4CVSS0.00255EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-11778

The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value...

5.4CVSS6.3AI score0.00255EPSS
Exploits0References5
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-41521

The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value...

5.4CVSS6.3AI score0.00255EPSS
Exploits0References4
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-41488

The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the storedesigndata function, which constructs a filesystem path from the user-supplied...

9.1CVSS6.5AI score0.00742EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 6 days ago10 views

CVE-2026-9725

The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 2.5.2 This is due to insufficient path validation in the storedesigndata function, which constructs a filesystem path from the user-supplied...

9.1CVSS6.5AI score0.00742EPSS
Exploits0References7
CVE
CVE
added 6 days ago19 views

CVE-2026-9725

The CVE-2026-9725 issue affects the Printcart Web to Print Product Designer for WooCommerce plugin for WordPress (versions

9.1CVSS6.5AI score0.00742EPSS
Exploits0References6
CVE
CVE
added 6 days ago20 views

CVE-2026-14352

AR for WooCommerce

7.5CVSS5.9AI score0.00473EPSS
Exploits0References7
EUVD
EUVD
added 6 days ago5 views

EUVD-2026-41485

The AR for WooCommerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 8.40 via the 'file' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive...

7.5CVSS5.9AI score0.00473EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added last week9 views

CVE-2026-57758

Unauthenticated Cross Site Request Forgery CSRF in Permalink Manager for WooCommerce = 1.0.8.2 versions...

7.1CVSS5.8AI score0.00094EPSS
Exploits0References2
Cvelist
Cvelist
added last week35 views

CVE-2026-57753 WordPress Kit (formerly ConvertKit) for WooCommerce plugin <= 2.1.5 - Sensitive Data Exposure vulnerability

Unauthenticated Sensitive Data Exposure in Kit formerly ConvertKit for WooCommerce = 2.1.5 versions...

5.3CVSS0.00206EPSS
Exploits0References1
Rows per page
Query Builder