Search Results (222 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-49911 3 Woocommerce, Wordpress, Wpinstinct 3 Woocommerce, Wordpress, Woo Commerce Vehicle Parts Finder 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Reflected XSS.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7.
CVE-2025-53422 3 Themewarriors, Woocommerce, Wordpress 3 Whatsapp Chat, Woocommerce, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeWarriors WhatsApp Chat for WordPress and WooCommerce tw-whatsapp-chat-rotator allows Reflected XSS.This issue affects WhatsApp Chat for WordPress and WooCommerce: from n/a through <= 1.2.1.
CVE-2025-53297 3 Aa-team, Woocommerce, Wordpress 3 Woocommerce Envato Affiliates, Woocommerce, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Envato Affiliates wooenvato allows Reflected XSS.This issue affects Woocommerce Envato Affiliates: from n/a through <= 1.2.1.
CVE-2025-64200 3 Villatheme, Woocommerce, Wordpress 3 Woocommerce Email Template Customizer, Woocommerce, Wordpress 2026-04-15 5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Email Template Customizer for WooCommerce email-template-customizer-for-woo allows Stored XSS.This issue affects Email Template Customizer for WooCommerce: from n/a through <= 1.2.17.
CVE-2025-13457 3 Automattic, Woocommerce, Wordpress 3 Woocommerce Square, Woocommerce, Wordpress 2026-04-15 7.5 High
The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.
CVE-2025-64289 3 Premmerce, Woocommerce, Wordpress 4 Premmerce, Product Search For Woocommerce, Woocommerce and 1 more 2026-04-15 5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows Stored XSS.This issue affects Premmerce Product Search for WooCommerce: from n/a through <= 2.2.5.
CVE-2025-60243 3 Holest Engineering, Woocommerce, Wordpress 3 Selling Commander For Woocommerce, Woocommerce, Wordpress 2026-04-15 9.8 Critical
Incorrect Privilege Assignment vulnerability in Holest Engineering Selling Commander for WooCommerce selling-commander-connector allows Privilege Escalation.This issue affects Selling Commander for WooCommerce: from n/a through <= 1.2.46.
CVE-2020-36841 1 Woocommerce 1 Woocommerce Smart Coupons 2026-04-15 5.3 Medium
The WooCommerce Smart Coupons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the woocommerce_coupon_admin_init function in versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to send themselves gift certificates of any value, which could be redeemed for products sold on the victim’s storefront.
CVE-2025-49379 3 Silverplugins217, Woocommerce, Wordpress 3 Custom Fields Account Registration For Woocommerce, Woocommerce, Wordpress 2026-04-15 7.2 High
Incorrect Privilege Assignment vulnerability in silverplugins217 Custom Fields Account Registration For Woocommerce custom-fields-account-registration-for-woocommerce allows Privilege Escalation.This issue affects Custom Fields Account Registration For Woocommerce: from n/a through <= 1.2.
CVE-2025-67542 3 Silkypress, Woocommerce, Wordpress 3 Multi Step Checkout For Woocommerce, Woocommerce, Wordpress 2026-04-15 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SilkyPress Multi-Step Checkout for WooCommerce wp-multi-step-checkout allows DOM-Based XSS.This issue affects Multi-Step Checkout for WooCommerce: from n/a through <= 2.33.
CVE-2025-68011 3 Gls, Woocommerce, Wordpress 3 Shipping For Woocommerce, Woocommerce, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce allows Reflected XSS.This issue affects GLS Shipping for WooCommerce: from n/a through <= 1.4.0.
CVE-2024-10567 1 Woocommerce 1 Woocommerce 2026-04-15 7.5 High
The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to create new pages, modify plugin settings, and perform limited options updates.
CVE-2025-10412 2 Woocommerce, Wordpress 2 Woocommerce, Wordpress 2026-04-15 9.8 Critical
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-10162 2 Woocommerce, Wordpress 2 Woocommerce, Wordpress 2026-04-15 7.5 High
The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
CVE-2024-10820 2 Vanquish, Woocommerce 2 Woocommerce Upload Files, Upload Files 2026-04-08 9.8 Critical
The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 84.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-9944 2 Woocommerce, Woothemes 2 Woocommerce, Woocommerce 2026-04-08 5.3 Medium
The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.
CVE-2022-0775 1 Woocommerce 1 Woocommerce 2025-06-11 4.3 Medium
The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
CVE-2024-1747 2 Vanquish, Woocommerce 2 Woocommerce Customers Manager, Woocommerce Customers Manager 2025-05-29 6.5 Medium
The WooCommerce Customers Manager WordPress plugin before 30.2 does not have authorisation and CSRF in various AJAX actions, allowing any authenticated users, such as subscriber, to call them and update/delete/create customer metadata, also leading to Stored Cross-Site Scripting due to the lack of escaping of said metadata values.
CVE-2024-2843 2 Vanquish, Woocommerce 2 Woocommerce Customers Manager, Woocommerce Customers Manager 2025-05-29 6.5 Medium
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin users delete users via CSRF attacks
CVE-2024-3983 2 Vanquish, Woocommerce 2 Woocommerce Customers Manager, Woocommerce Customers Manager 2025-05-29 8.1 High
The WooCommerce Customers Manager WordPress plugin before 30.1 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks