Automattic Automattic

  1. Vendors
  2. Automattic

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Automattic product.

RSS Feeds for Automattic security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Automattic products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Automattic Sorted by Most Security Vulnerabilities since 2018

Automattic Woocommerce16 vulnerabilities

Automattic Jetpack12 vulnerabilities

Automattic Sensei Lms8 vulnerabilities

Automattic Activitypub5 vulnerabilities

Automattic Crowdsignal Dashboard5 vulnerabilities

Automattic Woopayments5 vulnerabilities

Automattic Jetpack Crm5 vulnerabilities

Automattic Mailpoet3 vulnerabilities

Automattic Jetpack Boost3 vulnerabilities

Automattic Newspack2 vulnerabilities

Automattic Wp Job Manager2 vulnerabilities

Automattic Wordpress2 vulnerabilities

Automattic Wordpress Com Editing Toolkit1 vulnerability

Automattic Crowdsignal Forms1 vulnerability

Automattic Woocommerce Stripe1 vulnerability

Automattic Developer1 vulnerability

Automattic Ghacitivity1 vulnerability

Automattic Newspack Popups1 vulnerability

Automattic Newspack Ads1 vulnerability

Automattic Ghactivity1 vulnerability

By the Year

In 2026 there have been 5 vulnerabilities in Automattic with an average score of 6.3 out of ten. Last year, in 2025 Automattic had 18 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Automattic in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.05.




Year Vulnerabilities Average Score
2026 5 6.33
2025 18 5.28
2024 24 6.85
2023 23 7.02
2022 6 6.13
2021 5 6.52
2020 1 6.10

It may take a day or so for new Automattic vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Automattic Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-3589 Mar 06, 2026
WooCommerce 5.4.0-10.5.2: Unauth CSRF Allows Admin User Creation The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Woocommerce
CVE-2026-22356 Feb 20, 2026
Jetpack CRM <=6.7.0 LFI via Improper Filename Control Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Automattic Jetpack CRM zero-bs-crm allows PHP Local File Inclusion.This issue affects Jetpack CRM: from n/a through <= 6.7.0.
Jetpack Crm
CVE-2026-25404 Feb 19, 2026
Missing Auth in WP Job Manager <=2.4 (Automattic Plugin) Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a through <= 2.4.0.
Wp Job Manager
CVE-2023-54332 Jan 13, 2026
Jetpack 11.4 XSS in Contact Form via post_id enables script injection Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page.
Jetpack
Jetpack Boost
CVE-2023-52212 Jan 05, 2026
WP Job Manager <=2.0.0 CSRF Vulnerability in Plugin Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0.
Wp Job Manager
CVE-2025-69015 Dec 30, 2025
Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through <= 1.7.2.
Crowdsignal Forms
CVE-2025-15033 Dec 22, 2025
WooCommerce 8.1-10.4.2 Order Data Leakage to Auth Customers A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.
Woocommerce
CVE-2023-7320 Oct 29, 2025
WooCommerce <=7.8.2 Sensitive Info Exposure via Improper CORS The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information).
Woocommerce
CVE-2025-49042 Oct 29, 2025
Stored XSS in WooCommerce (v10.0.2) Improper Input Neutralization Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 10.0.2.
Woocommerce
CVE-2025-58674 Sep 23, 2025
WordPress Core Stored XSS (CVE-2025-58674) up to v6.8.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordPress allows Stored XSS. WordPress core security team is aware of the issue and working on a fix. This is low severity vulnerability that requires an attacker to have Author or higher user privileges to execute the attack vector.This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Wordpress
CVE-2025-58246 Sep 23, 2025
WP <=6.8.2: Insert Sensitive Info into Outgoing Data (Contributor Priv.) Insertion of Sensitive Information Into Sent Data vulnerability in WordPress allows Retrieve Embedded Sensitive Data. The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it. This issue affects WordPress: from 6.8 through 6.8.2, from 6.7 through 6.7.3, from 6.6 through 6.6.3, from 6.5 through 6.5.6, from 6.4 through 6.4.6, from 6.3 through 6.3.6, from 6.2 through 6.2.7, from 6.1 through 6.1.8, from 6.0 through 6.0.10, from 5.9 through 5.9.11, from 5.8 through 5.8.11, from 5.7 through 5.7.13, from 5.6 through 5.6.15, from 5.5 through 5.5.16, from 5.4 through 5.4.17, from 5.3 through 5.3.19, from 5.2 through 5.2.22, from 5.1 through 5.1.20, from 5.0 through 5.0.23, from 4.9 through 4.9.27, from 4.8 through 4.8.26, from 4.7 through 4.7.30.
Wordpress
CVE-2025-57924 Sep 22, 2025
Automattic Developer <1.2.6 CSRF Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in Automattic Developer allows Cross Site Request Forgery. This issue affects Developer: from n/a through 1.2.6.
Developer
CVE-2025-5285 May 31, 2025
WooCommerce <=1.3.9 Stored XSS via htmlTag param The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the htmlTag parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Woocommerce
CVE-2025-5062 May 22, 2025
PostMessage-Based XSS in WooCommerce <9.4.3 The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Woocommerce
CVE-2023-7168 May 15, 2025
Jetpack <=8.0 XSS via Unsanitized Settings in Better Follow Button The Better Follow Button for Jetpack WordPress plugin through 8.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Jetpack
CVE-2024-6584 May 15, 2025
Arbitrary GET via wp_ajax_boost_proxy_ig in WordPress Boost Plugin The 'wp_ajax_boost_proxy_ig' action allows administrators to make GET requests to arbitrary URLs.
Jetpack Boost
CVE-2024-8009 May 15, 2025
WP Sensei LMS <4.20.0 - User Email Disclosure to Teachers The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page
Sensei Lms
CVE-2024-12743 May 15, 2025
MailPoet WP Plugin Before 5.5.2: Stored XSS via Unsanitized Settings The MailPoet WordPress plugin before 5.5.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Mailpoet
CVE-2024-10075 May 15, 2025
Jetpack WP Plugin <13.8: Auth Bypass Allows Unauth Shortcode Exec The Jetpack WordPress plugin before 13.8 does not ensure that the post created by the Contact Form is only accessible to authorised users, which could allow unauthenticated users to run arbitrary shortcodes and block.
Jetpack
CVE-2024-10076 May 15, 2025
Jetpack WordPress Plugin XSS via regex in Site Accelerator (v<13.8, Boost<3.4.8) The Jetpack WordPress plugin before 13.8, Jetpack Boost WordPress plugin before 3.4.8 use regexes in the Site Accelerator features when switching image URLs to their CDN counterpart. Unfortunately, some of them may match patterns it shouldnt, ultimately making it possible for contributor and above users to perform Stored XSS attacks
Jetpack
Jetpack Boost
CVE-2025-22740 Mar 27, 2025
Sensei LMS v4.24.4: Missing Authorization Vulnerability (CVE-2025-22740) Missing Authorization vulnerability in Automattic Sensei LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sensei LMS: from n/a through 4.24.4.
Sensei Lms
CVE-2025-26762 Mar 27, 2025
WooCommerce XSS via Improper Input Neutralization Before 9.7.0 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 9.7.0.
Woocommerce
CVE-2025-0466 Feb 04, 2025
WordPress Sensei LMS REST API Info Leak (v4.24.4-) The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information.
Sensei Lms
CVE-2024-10858 Dec 25, 2024
Jetpack WordPress Plugin DOM-XSS Vulnerability in Postmessage Origin Check The Jetpack WordPress plugin before 14.1 does not properly checks the postmessage origin in its 13.x versions, allowing it to be bypassed and leading to DOM-XSS. The issue only affects websites hosted on WordPress.com.
Jetpack
CVE-2024-43338 Nov 19, 2024
Crowdsignal Dashboard 3.1.2 - CSRF in Automattic WordPress Plugin Cross-Site Request Forgery (CSRF) vulnerability in Automattic, Inc. Crowdsignal Dashboard Polls, Surveys & more allows Cross Site Request Forgery.This issue affects Crowdsignal Dashboard Polls, Surveys & more: from n/a through 3.1.2.
Crowdsignal Dashboard
CVE-2024-10103 Nov 19, 2024
MailPoet WordPress Plugin Stored XSS Vulnerability In the process of testing the MailPoet WordPress plugin before 5.3.2, a vulnerability was found that allows you to implement Stored XSS on behalf of the editor by embedding malicious script, which entails account takeover backdoor
Mailpoet
CVE-2024-9926 Nov 07, 2024
Jetpack REST API Auth Bypass The Jetpack WordPress plugin does not have proper authorisation in one of its REST endpoint, allowing any authenticated users, such as subscriber to read arbitrary feedbacks data sent via the Jetpack Contact Form
Jetpack
CVE-2024-9944 Oct 15, 2024
WooCommerce HTML Injection 9.0.2 (WP) The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.
Woocommerce
CVE-2024-7786 Sep 04, 2024
Unauth REST API Email Template Leak in Sensei LMS <4.24.2 The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.
Sensei Lms
CVE-2024-43949 Aug 29, 2024
Automattic GHActivity <=2.0.0-alpha Stored XSS Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic GHActivity allows Stored XSS.This issue affects GHActivity: from n/a through 2.0.0-alpha.
Ghacitivity
Ghactivity
CVE-2024-35686 Aug 18, 2024
Missing Auth in Automattic Sensei LMS & Pro 4.23.1 Missing Authorization vulnerability in Automattic Sensei LMS, Automattic Sensei Pro (WC Paid Courses).This issue affects Sensei LMS: from n/a through 4.23.1; Sensei Pro (WC Paid Courses): from n/a through 4.23.1.1.23.1.
Sensei Lms
CVE-2024-39666 Aug 18, 2024
XSS in Automattic WooCommerce <=9.1.2 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2.
Woocommerce
CVE-2024-35777 Jul 09, 2024
WooCommerce <=8.9.2 Improper Neutralization of Special Elements (Injection) Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2.
Woocommerce
CVE-2024-37474 Jul 04, 2024
Newspack Ads Stored XSS (v1.47.1) Cross Site Scripting (XSS) vulnerability in Automattic Newspack Ads allows Stored XSS.This issue affects Newspack Ads: from n/a through 1.47.1.
Newspack
Newspack Ads
CVE-2024-37476 Jul 04, 2024
Automattic Newspack Campaigns: Stored XSS Vulnerability before 2.31.1 Cross Site Scripting (XSS) vulnerability in Automattic Newspack Campaigns allows Stored XSS.This issue affects Newspack Campaigns: from n/a through 2.31.1.
Newspack
Newspack Popups
CVE-2023-47788 Jun 19, 2024
Automattic Jetpack <12.7 Missing Auth Vulnerability Missing Authorization vulnerability in Automattic Jetpack.This issue affects Jetpack: from n/a before 12.7.
Jetpack
CVE-2023-52199 Jun 11, 2024
Missing Auth in Automattic ActivityPub <1.0.5 Missing Authorization vulnerability in Matthias Pfefferle & Automattic ActivityPub.This issue affects ActivityPub: from n/a through 1.0.5.
Activitypub
CVE-2024-4392 May 14, 2024
Jetpack WP Plugin Stored XSS via wpvideo shortcode (13.3.1) The Jetpack WP Security, Backup, Speed, & Growth plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpvideo shortcode in all versions up to, and including, 13.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Jetpack
CVE-2023-47774 Apr 24, 2024
Jetpack 12.7 Clickjacking via Unrestricted UI Layer Rendering Improper Restriction of Rendered UI Layers or Frames vulnerability in Automattic Jetpack allows Clickjacking.This issue affects Jetpack: from n/a before 12.7.
Jetpack
CVE-2024-1310 Apr 15, 2024
WooCommerce WP Plugin 8.6 - Contributor Role Data Leakage The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products)
Woocommerce
CVE-2024-22155 Apr 07, 2024
WooCommerce CSRF (<=8.5.2) Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2.
Woocommerce
CVE-2024-24799 Mar 26, 2024
Missing Auth in WooCommerce Box Office (<=1.2.2) Missing Authorization vulnerability in WooCommerce WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.2.2.
Woocommerce
CVE-2023-51489 Mar 16, 2024
Crowdsignal Dashboard Polls CSRF Vulnerability v3.0.11 Cross-Site Request Forgery (CSRF) vulnerability in Automattic, Inc. Crowdsignal Dashboard Polls, Surveys & more.This issue affects Crowdsignal Dashboard Polls, Surveys & more: from n/a through 3.0.11.
Crowdsignal Dashboard
CVE-2023-50875 Feb 12, 2024
Stored XSS in Automattic Sensei LMS <=4.17.0 (CVE-2023-50875) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Sensei LMS Online Courses, Quizzes, & Learning allows Stored XSS.This issue affects Sensei LMS Online Courses, Quizzes, & Learning: from n/a through 4.17.0.
Sensei Lms
CVE-2023-51488 Feb 10, 2024
Crowdsignal Dashboard Reflected XSS before 3.0.11 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic, Inc. Crowdsignal Dashboard Polls, Surveys & more allows Reflected XSS.This issue affects Crowdsignal Dashboard Polls, Surveys & more: from n/a through 3.0.11.
Crowdsignal Dashboard
CVE-2023-52222 Jan 08, 2024
CSRF in Automattic WooCommerce 8.2.2 Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.
Woocommerce
CVE-2023-51502 Jan 05, 2024
WooCommerce Stripe GW: Auth Bypass via User Key fixed 7.6.2 Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.1.
Woocommerce Stripe
CVE-2023-51503 Dec 31, 2023
CVE-2023-51503: Auth Bypass via User-Controlled Key in WooPayments < 6.9.2 Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments Fully Integrated Solution Built and Supported by Woo: from n/a through 6.9.2.
Woopayments
CVE-2023-50879 Dec 29, 2023
Stored XSS in WP.com Editing Toolkit v<=3.78784 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WordPress.Com Editing Toolkit allows Stored XSS.This issue affects WordPress.Com Editing Toolkit: from n/a through 3.78784.
Wordpress Com Editing Toolkit
CVE-2023-32747 Dec 21, 2023
WooCommerce Bookings Auth Bypass via User-Controlled Key (1.15.78) Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78.
Woocommerce Bookings
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.