WooCommerce Security Vulnerabilities

CVE-2015-2069

Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.2.11 for WordPress allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING in the wc-reports page to wp-admin/admin.php.

CVE-2015-2329

Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order.

CVE-2016-10112

Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.

CVE-2017-17058

The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traversal is not possible because all of the template f...

CVE-2017-18356

In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involvi...

CVE-2018-20714

The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin.

CVE-2018-20782

The GloBee plugin before 1.1.2 for WooCommerce mishandles IPN messages.

CVE-2019-20891

WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.

CVE-2019-9168

WooCommerce before 3.5.5 allows XSS via a Photoswipe caption.

CVE-2020-29156

The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.

CVE-2021-24323

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled

CVE-2021-32790

Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpo...

CVE-2022-0775

The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment

CVE-2022-2099

The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles

CVE-2023-25788

Cross-Site Request Forgery (CSRF) vulnerability in Saphali Saphali Woocommerce Lite plugin <= 1.8.13 versions.

CVE-2023-32575

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Product page shipping calculator for WooCommerce plugin <= 1.3.25 versions.

CVE-2023-47777

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1.

CVE-2023-52222

Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.