Automattic Woocommerce

WooCommerce 5.4.0-10.5.2: Unauth CSRF Allows Admin User Creation
CVE-2026-3589 7.5 - High - March 06, 2026

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.

Session Riding

WooCommerce 8.1-10.4.2 Order Data Leakage to Auth Customers
CVE-2025-15033 6.5 - Medium - December 22, 2025

A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.

Information Disclosure

WooCommerce <=7.8.2 Sensitive Info Exposure via Improper CORS
CVE-2023-7320 5.3 - Medium - October 29, 2025

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information).

Information Disclosure

Stored XSS in WooCommerce (v10.0.2) Improper Input Neutralization
CVE-2025-49042 5.9 - Medium - October 29, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 10.0.2.

XSS

WooCommerce <=1.3.9 Stored XSS via htmlTag param
CVE-2025-5285 6.4 - Medium - May 31, 2025

The Product Subtitle for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the htmlTag parameter in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

XSS

PostMessage-Based XSS in WooCommerce <9.4.3
CVE-2025-5062 6.1 - Medium - May 22, 2025

The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

XSS

WooCommerce XSS via Improper Input Neutralization Before 9.7.0
CVE-2025-26762 - March 27, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce allows Stored XSS.This issue affects WooCommerce: from n/a through 9.7.0.

XSS

WooCommerce HTML Injection 9.0.2 (WP)
CVE-2024-9944 6.1 - Medium - October 15, 2024

The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.

XSS

XSS in Automattic WooCommerce <=9.1.2
CVE-2024-39666 - August 18, 2024

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2.

XSS

WooCommerce <=8.9.2 Improper Neutralization of Special Elements (Injection)
CVE-2024-35777 - July 09, 2024

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2.

Injection

WooCommerce WP Plugin 8.6 - Contributor Role Data Leakage
CVE-2024-1310 - April 15, 2024

The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products)

WooCommerce CSRF (<=8.5.2)
CVE-2024-22155 - April 07, 2024

Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2.

Session Riding

Missing Auth in WooCommerce Box Office (<=1.2.2)
CVE-2024-24799 8.8 - High - March 26, 2024

Missing Authorization vulnerability in WooCommerce WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.2.2.

AuthZ

CSRF in Automattic WooCommerce 8.2.2
CVE-2023-52222 8.8 - High - January 08, 2024

Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.

Session Riding

WooCommerce Stored XSS in Blocks until 11.1.1
CVE-2023-47777 5.4 - Medium - November 30, 2023

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1.

XSS

The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability
CVE-2017-17058 7.5 - High - November 29, 2017

The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traversal is not possible because all of the template files have "if (!defined('ABSPATH')) {exit;}" code

Directory traversal