Woocommerce Security Vulnerabilities and Issues — Woocommerce CVE List

Lucene search

AutomatticWoocommerce

11 matches found

CVE•added 2024/04/15 5:15 a.m.•2654 views

CVE-2024-1310

The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products)

4.9CVSS9.3AI score0.00228EPSS

CVE•added 2024/07/09 10:15 a.m.•97 views

CVE-2024-35777

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2.

3.5CVSS4.4AI score0.00122EPSS

CVE•added 2023/11/30 12:15 p.m.•96 views

CVE-2023-47777

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1.

6.5CVSS6.1AI score0.00321EPSS

CVE•added 2024/08/18 2:15 p.m.•64 views

CVE-2024-39666

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2.

5.9CVSS5.8AI score0.00039EPSS

CVE•added 2021/05/17 5:15 p.m.•62 views

CVE-2021-24323

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled

4.8CVSS4.7AI score0.00377EPSS

CVE•added 2025/05/22 4:16 a.m.•61 views

CVE-2025-5062

The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attacker...

6.1CVSS6.3AI score0.00184EPSS

CVE•added 2024/04/07 6:15 p.m.•60 views

CVE-2024-22155

Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2.

4.3CVSS5AI score0.00227EPSS

CVE•added 2024/01/08 7:15 p.m.•53 views

CVE-2023-52222

Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.

8.8CVSS8.6AI score0.00199EPSS

CVE•added 2024/11/18 10:15 p.m.•53 views

CVE-2024-10486

The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible print_php_information.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PH...

5.3CVSS4.9AI score0.02166EPSS

CVE•added 2017/11/29 7:29 a.m.•52 views

CVE-2017-17058

The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traversal is not possible because all of the template f...

7.5CVSS7.6AI score0.42903EPSS

CVE•added 2025/03/27 4:15 p.m.•43 views

CVE-2025-26762

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 9.7.0.

5.9CVSS5.8AI score0.00042EPSS