Filtered by vendor Woocommerce
Subscriptions
Filtered by product Woocommerce
Subscriptions
Total
205 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-53422 | 3 Themewarriors, Woocommerce, Wordpress | 3 Whatsapp Chat, Woocommerce, Wordpress | 2026-04-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeWarriors WhatsApp Chat for WordPress and WooCommerce tw-whatsapp-chat-rotator allows Reflected XSS.This issue affects WhatsApp Chat for WordPress and WooCommerce: from n/a through <= 1.2.1. | ||||
| CVE-2025-53297 | 3 Aa-team, Woocommerce, Wordpress | 3 Woocommerce Envato Affiliates, Woocommerce, Wordpress | 2026-04-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Envato Affiliates wooenvato allows Reflected XSS.This issue affects Woocommerce Envato Affiliates: from n/a through <= 1.2.1. | ||||
| CVE-2025-49947 | 3 Extendons, Woocommerce, Wordpress | 3 Woocommerce Registration Fields Plugin, Woocommerce, Wordpress | 2026-04-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extendons WooCommerce Registration Fields Plugin - Custom Signup Fields extendons-registration-fields allows Reflected XSS.This issue affects WooCommerce Registration Fields Plugin - Custom Signup Fields: from n/a through <= 3.2.3. | ||||
| CVE-2025-49911 | 3 Woocommerce, Wordpress, Wpinstinct | 3 Woocommerce, Wordpress, Woo Commerce Vehicle Parts Finder | 2026-04-01 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Reflected XSS.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7. | ||||
| CVE-2025-49380 | 3 Woocommerce, Wordpress, Wpinstinct | 3 Woocommerce, Wordpress, Woocommerce Vehicle Parts Finder | 2026-04-01 | 5.3 Medium |
| Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7. | ||||
| CVE-2025-49379 | 3 Silverplugins217, Woocommerce, Wordpress | 3 Custom Fields Account Registration For Woocommerce, Woocommerce, Wordpress | 2026-04-01 | 7.2 High |
| Incorrect Privilege Assignment vulnerability in silverplugins217 Custom Fields Account Registration For Woocommerce custom-fields-account-registration-for-woocommerce allows Privilege Escalation.This issue affects Custom Fields Account Registration For Woocommerce: from n/a through <= 1.2. | ||||
| CVE-2025-13457 | 3 Automattic, Woocommerce, Wordpress | 3 Woocommerce Square, Woocommerce, Wordpress | 2026-01-13 | 7.5 High |
| The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site. | ||||
| CVE-2025-30631 | 3 Aa-team, Woocommerce, Wordpress | 4 Amazon Affiliates Addon For Wpbakery Page Builder, Woocommerce Sales Funnel Builder, Woocommerce and 1 more | 2026-01-08 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2. | ||||
| CVE-2025-10162 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2025-10-08 | 7.5 High |
| The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack | ||||
| CVE-2025-58991 | 3 Cristiano Zanca, Woocommerce, Wordpress | 3 Woocommerce Booking Bundle Hours, Woocommerce, Wordpress | 2025-09-11 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Cristiano Zanca WooCommerce Booking Bundle Hours allows Stored XSS. This issue affects WooCommerce Booking Bundle Hours: from n/a through 0.7.4. | ||||
| CVE-2025-28999 | 3 Woocommerce, Wordpress, Zoomit | 3 Woocommerce, Wordpress, Woocommerce Shop Page Builder | 2025-08-16 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt WooCommerce Shop Page Builder allows Reflected XSS. This issue affects WooCommerce Shop Page Builder: from n/a through 2.27.7. | ||||
| CVE-2023-52222 | 1 Woocommerce | 1 Woocommerce | 2025-06-17 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2. | ||||
| CVE-2022-0775 | 1 Woocommerce | 1 Woocommerce | 2025-06-11 | 4.3 Medium |
| The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment | ||||
| CVE-2016-10112 | 1 Woocommerce | 1 Woocommerce | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. | ||||
| CVE-2024-37297 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 5.4 Medium |
| WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature. | ||||
| CVE-2023-32575 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 5.9 Medium |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Product page shipping calculator for WooCommerce plugin <= 1.3.25 versions. | ||||
| CVE-2022-2099 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 4.8 Medium |
| The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles | ||||
| CVE-2021-32790 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 4.9 Medium |
| Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading. | ||||
| CVE-2021-24323 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 4.8 Medium |
| When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled | ||||
| CVE-2020-29156 | 1 Woocommerce | 1 Woocommerce | 2024-11-21 | 5.3 Medium |
| The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | ||||