Woocommerce

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-5062 1Woocommerce 1Woocommerce Sep 30, 2025 May 22, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output es...Show more The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.Show less
CVE-2024-9944 1Woocommerce 1Woocommerce Oct 17, 2024 Oct 15, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes i...Show more The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.Show less
CVE-2023-35049 1Woocommerce 1Stripe Payment Gateway Mar 10, 2025 Jun 19, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Missing Authorization vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.4.0.
CVE-2023-51497 1Woocommerce 1Shipping Multiple Addresses Nov 21, 2024 Jun 14, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Missing Authorization vulnerability in Woo WooCommerce Ship to Multiple Addresses.This issue affects WooCommerce Ship to Multiple Addresses: from n/a through 3.8.9.
CVE-2023-51496 1Woocommerce 1Returns And Warranty Requests Nov 21, 2024 Jun 14, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from n/a through 2.2.7.
CVE-2023-51495 1Woocommerce 1Returns And Warranty Requests Nov 21, 2024 Jun 14, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from n/a through 2.2.7.
CVE-2024-37297 1Woocommerce 1Woocommerce Nov 21, 2024 Jun 12, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScrip...Show more WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.Show less
CVE-2023-34003 1Woocommerce 1Box Office Nov 21, 2024 Jun 9, 2024 N/A· v4 5.3 MEDIUM· v3 N/A· v2 Missing Authorization vulnerability in Woo WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.1.51.
CVE-2023-51494 1Woocommerce 1Product Vendors Nov 21, 2024 Jun 9, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Missing Authorization vulnerability in Woo WooCommerce Product Vendors.This issue affects WooCommerce Product Vendors: from n/a through 2.2.1.
CVE-2023-44999 1Woocommerce 1Stripe Payment Gateway Apr 28, 2026 Mar 27, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.0.
CVE-2024-24799 1Woocommerce 1Box Office Apr 28, 2026 Mar 26, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Missing Authorization vulnerability in WooCommerce WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.2.2.
CVE-2024-27193 1Woocommerce 1Payu India Payment Gateway Apr 23, 2026 Mar 15, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PayU India PayU India payu-india allows DOM-Based XSS.This issue affects PayU India: from n/a through <= 3.8.8.
CVE-2022-0775 1Woocommerce 1Woocommerce Jun 11, 2025 Jan 16, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
CVE-2023-52222 1Woocommerce 1Woocommerce Apr 28, 2026 Jan 8, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.
CVE-2023-32795 1Woocommerce 1Product Addons Apr 28, 2026 Dec 28, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3.
CVE-2023-32799 1Woocommerce 1Shipping Multiple Addresses Apr 28, 2026 Dec 21, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3.
CVE-2023-33318 1Woocommerce 1Automatewoo Apr 28, 2026 Dec 20, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.40.
CVE-2023-33330 1Woocommerce 1Automatewoo Apr 28, 2026 Dec 20, 2023 N/A· v4 8.1 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.50.
CVE-2023-32743 1Woocommerce 1Automatewoo Apr 28, 2026 Dec 20, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1.
CVE-2023-32794 1Woocommerce 1Product Addons Apr 28, 2026 Nov 9, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Product Add-Ons plugin <= 6.1.3 versions.

12 3 4 Next