Filtered by vendor Woocommerce
Subscriptions
Filtered by product Woocommerce
Subscriptions
Total
125 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-12964 | 3 Nalam-1, Woocommerce, Wordpress | 3 Magical Products Display, Woocommerce, Wordpress | 2025-11-24 | 6.4 Medium |
| The Magical Products Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpdpr_title_tag' and 'mpdpr_subtitle_tag' parameters in the MPD Pricing Table widget in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13156 | 3 Appsbd, Woocommerce, Wordpress | 3 Vitepos, Woocommerce, Wordpress | 2025-11-24 | 8.8 High |
| The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible. | ||||
| CVE-2025-66069 | 3 Themeisle, Woocommerce, Wordpress | 3 Ppom For Woocommerce, Woocommerce, Wordpress | 2025-11-24 | 4.3 Medium |
| Missing Authorization vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPOM for WooCommerce: from n/a through <= 33.0.16. | ||||
| CVE-2025-66089 | 3 Webtoffee, Woocommerce, Wordpress | 3 Product Feed For Woocommerce, Woocommerce, Wordpress | 2025-11-24 | 4.3 Medium |
| Missing Authorization vulnerability in WebToffee Product Feed for WooCommerce webtoffee-product-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Feed for WooCommerce: from n/a through <= 2.3.1. | ||||
| CVE-2025-66109 | 3 Octolize, Woocommerce, Wordpress | 3 Cart Weight For Woocommerce, Woocommerce, Wordpress | 2025-11-24 | N/A |
| Missing Authorization vulnerability in octolize Cart Weight for WooCommerce woo-cart-weight allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cart Weight for WooCommerce: from n/a through <= 1.9.11. | ||||
| CVE-2025-66114 | 3 Theme Funda, Woocommerce, Wordpress | 3 Show Variations As Single Products Woocommerce, Woocommerce, Wordpress | 2025-11-24 | N/A |
| Missing Authorization vulnerability in theme funda Show Variations as Single Products Woocommerce woo-show-single-variations-shop-category allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Show Variations as Single Products Woocommerce: from n/a through <= 2.0. | ||||
| CVE-2025-12545 | 3 Alekv, Woocommerce, Wordpress | 3 Pixel Manager For Woocommerce, Woocommerce, Wordpress | 2025-11-21 | 5.3 Medium |
| The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to. | ||||
| CVE-2025-12878 | 3 Funnelkit, Woocommerce, Wordpress | 3 Funnel Builder, Woocommerce, Wordpress | 2025-11-20 | 6.4 Medium |
| The FunnelKit – Funnel Builder for WooCommerce Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `wfop_phone` shortcode in all versions up to, and including, 3.13.1.2. This is due to insufficient input sanitization and output escaping on the user-supplied `default` attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12392 | 3 Tripleatechnology, Woocommerce, Wordpress | 3 Cryptocurrency Payment Gateway For Woocommerce, Woocommerce, Wordpress | 2025-11-19 | 5.3 Medium |
| The Cryptocurrency Payment Gateway for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_optin_optout' function in all versions up to, and including, 2.0.22. This makes it possible for unauthenticated attackers to opt in and out of tracking. | ||||
| CVE-2025-12955 | 3 Rajeshsingh520, Woocommerce, Wordpress | 3 Live Sales Notification For Woocommerce, Woocommerce, Wordpress | 2025-11-19 | 7.5 High |
| The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details. | ||||
| CVE-2025-13088 | 3 Ikhodal, Woocommerce, Wordpress | 3 Category And Product Woocommerce Tabs, Woocommerce, Wordpress | 2025-11-19 | 8.8 High |
| The Category and Product Woocommerce Tabs plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0. This is due to insufficient input validation on the 'template' parameter in the categoryProductTab() function. This makes it possible for authenticated attackers, with contributor level access and above, to include and execute arbitrary .php files on the server. | ||||
| CVE-2025-12639 | 3 Sundayfanz, Woocommerce, Wordpress | 3 Wmodes, Woocommerce, Wordpress | 2025-11-19 | 4.3 Medium |
| The wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to access sensitive information via the AJAX endpoint. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive information including user emails, usernames, roles, capabilities, and WooCommerce data such as products and payment methods. | ||||
| CVE-2025-60204 | 3 Josh Kohlbach, Woocommerce, Wordpress | 3 Woocommerce Store Toolkit, Woocommerce, Wordpress | 2025-11-18 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Josh Kohlbach WooCommerce Store Toolkit woocommerce-store-toolkit allows PHP Local File Inclusion.This issue affects WooCommerce Store Toolkit: from n/a through <= 2.4.3. | ||||
| CVE-2025-60243 | 3 Holest Engineering, Woocommerce, Wordpress | 3 Selling Commander For Woocommerce, Woocommerce, Wordpress | 2025-11-17 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in Holest Engineering Selling Commander for WooCommerce selling-commander-connector allows Privilege Escalation.This issue affects Selling Commander for WooCommerce: from n/a through <= 1.2.46. | ||||
| CVE-2025-60235 | 3 Plugify, Woocommerce, Wordpress | 3 Helpdesk Support Ticket System For Woocommerce, Woocommerce, Wordpress | 2025-11-17 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Plugify Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Using Malicious Files.This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through <= 2.1.0. | ||||
| CVE-2025-60207 | 3 Addify, Woocommerce, Wordpress | 3 Custom User Registration Fields For Woocommerce, Woocommerce, Wordpress | 2025-11-17 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Addify Custom User Registration Fields for WooCommerce user-registration-plugin-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects Custom User Registration Fields for WooCommerce: from n/a through <= 2.1.2. | ||||
| CVE-2025-60189 | 3 Polopag, Woocommerce, Wordpress | 3 Polopag, Woocommerce, Wordpress | 2025-11-17 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PoloPag PoloPag – Pix Automático para Woocommerce wc-polo-payments allows PHP Local File Inclusion.This issue affects PoloPag – Pix Automático para Woocommerce: from n/a through <= 2.0.9. | ||||
| CVE-2025-64267 | 3 Woocommerce, Wordpress, Wpswings | 3 Woocommerce, Wordpress, Ultimate Points And Rewards | 2025-11-14 | 4.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPSwings WooCommerce Ultimate Points And Rewards woocommerce-ultimate-points-and-rewards allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce Ultimate Points And Rewards: from n/a through <= 2.10.2. | ||||
| CVE-2025-11821 | 3 Elvismdev, Woocommerce, Wordpress | 3 Products By Custom Tax, Woocommerce, Wordpress | 2025-11-14 | 6.4 Medium |
| The Woocommerce – Products By Custom Tax plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'woo_products_custom_tax' shortcode in all versions up to, and including, 2.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-49947 | 3 Extendons, Woocommerce, Wordpress | 3 Woocommerce Registration Fields Plugin, Woocommerce, Wordpress | 2025-11-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extendons WooCommerce Registration Fields Plugin - Custom Signup Fields extendons-registration-fields allows Reflected XSS.This issue affects WooCommerce Registration Fields Plugin - Custom Signup Fields: from n/a through <= 3.2.3. | ||||