Filtered by vendor Woocommerce
Subscriptions
Total
130 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-52820 | 3 Infosoftplugin, Woocommerce, Wordpress | 3 Woocommerce Point Of Sale, Woocommerce, Wordpress | 2025-08-16 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in infosoftplugin WooCommerce Point Of Sale (POS) allows SQL Injection. This issue affects WooCommerce Point Of Sale (POS): from n/a through 1.4. | ||||
| CVE-2025-49887 | 3 Woocommerce, Wordpress, Wpfactory | 3 Woocommerce, Wordpress, Product Xml Feed Manager For Woocommerce | 2025-08-16 | 9.9 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce allows Remote Code Inclusion. This issue affects Product XML Feed Manager for WooCommerce: from n/a through 2.9.3. | ||||
| CVE-2025-53575 | 3 Primersoftware, Woocommerce, Wordpress | 3 Primer Mydata For Woocommerce, Woocommerce, Wordpress | 2025-08-16 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in primersoftware Primer MyData for Woocommerce allows Reflected XSS. This issue affects Primer MyData for Woocommerce: from n/a through 4.2.5. | ||||
| CVE-2025-8342 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-08-16 | 8.1 High |
| The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured. | ||||
| CVE-2025-6025 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-08-16 | 7.5 High |
| The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted. | ||||
| CVE-2025-5391 | 2 Woocommerce, Wordpress | 3 Woocommerce, Woocommerce Purchase Orders Plugin, Wordpress | 2025-08-13 | 8.1 High |
| The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-8198 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-07-31 | 7.5 High |
| The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.9.0. This is due to an insufficient check on quantity values when changing quantities in the cart. This makes it possible for unauthenticated attackers to add items to the cart and adjust the quantity to a fractional amount, causing the price to change based on the fractional amount. The vulnerability cannot be exploited if WooCommerce version 9.8.2+ is installed. | ||||
| CVE-2025-6730 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-07-30 | 4.3 Medium |
| The Bonanza – WooCommerce Free Gifts Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the xlo_optin_call() function in all versions up to, and including, 1.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set the opt in status to success. | ||||
| CVE-2025-49885 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-07-14 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme Drag and Drop Multiple File Upload (Pro) - WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop Multiple File Upload (Pro) - WooCommerce: from n/a through 5.0.6. | ||||
| CVE-2024-24799 | 2 Woocommerce, Wordpress | 2 Woocommerce Box Office, Wordpress | 2025-07-13 | 6.5 Medium |
| Missing Authorization vulnerability in WooCommerce WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.2.2. | ||||
| CVE-2025-32544 | 1 Woocommerce | 1 Woocommerce | 2025-07-13 | 7.5 High |
| Missing Authorization vulnerability in The Right Software WooCommerce Loyal Customers allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WooCommerce Loyal Customers: from n/a through 2.6. | ||||
| CVE-2024-0626 | 1 Woocommerce | 1 Woocommerce | 2025-07-12 | 5.3 Medium |
| The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callback_handler function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to mark orders as paid. | ||||
| CVE-2025-47641 | 1 Woocommerce | 1 Woocommerce | 2025-06-27 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Printcart Web to Print Product Designer for WooCommerce: from n/a through 2.3.8. | ||||
| CVE-2025-48123 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-06-27 | 10 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Holest Engineering Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light allows Code Injection. This issue affects Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light: from n/a through 2.4.37. | ||||
| CVE-2025-47687 | 1 Woocommerce | 1 Storekeeper | 2025-06-20 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Upload a Web Shell to a Web Server. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4. | ||||
| CVE-2023-52222 | 1 Woocommerce | 1 Woocommerce | 2025-06-17 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2. | ||||
| CVE-2022-0775 | 1 Woocommerce | 1 Woocommerce | 2025-06-11 | 4.3 Medium |
| The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment | ||||
| CVE-2024-1747 | 2 Vanquish, Woocommerce | 2 Woocommerce Customers Manager, Woocommerce Customers Manager | 2025-05-29 | 6.5 Medium |
| The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values. | ||||
| CVE-2024-2843 | 2 Vanquish, Woocommerce | 2 Woocommerce Customers Manager, Woocommerce Customers Manager | 2025-05-29 | 6.5 Medium |
| The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks | ||||
| CVE-2024-3983 | 2 Vanquish, Woocommerce | 2 Woocommerce Customers Manager, Woocommerce Customers Manager | 2025-05-29 | 8.1 High |
| The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks | ||||