Woocommerce Woocommerce

  1. Vendors
  2. Woocommerce

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Woocommerce product.

RSS Feeds for Woocommerce security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Woocommerce products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Woocommerce Sorted by Most Security Vulnerabilities since 2018

Woocommerce25 vulnerabilities

Woocommerce Shipping Multiple Addresses4 vulnerabilities

Woocommerce Stripe Payment Gateway3 vulnerabilities

Woocommerce Returns And Warranty Requests3 vulnerabilities

Woocommerce Box Office2 vulnerabilities

Woocommerce Upload Files2 vulnerabilities

Woocommerce Product Addons2 vulnerabilities

Woocommerce Payu India Payment Gateway2 vulnerabilities

Woocommerce Smart Coupons1 vulnerability

Woocommerce Checkout Field Editor1 vulnerability

Woocommerce Streamline Lv1 vulnerability

Woocommerce Dropshipping1 vulnerability

Woocommerce Product Vendors1 vulnerability

By the Year

In 2026 there have been 3 vulnerabilities in Woocommerce with an average score of 7.4 out of ten. Last year, in 2025 Woocommerce had 6 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.30.




Year Vulnerabilities Average Score
2026 3 7.40
2025 6 6.10
2024 21 6.88
2023 35 6.67
2022 2 5.45
2021 5 7.08
2020 2 5.30
2019 6 6.50

It may take a day or so for new Woocommerce vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Woocommerce Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-9284 May 23, 2026
Unauthorized Order Manipulation in WooCommerce PayPal Payments <=4.0.1 WC-AJAX The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes it possible for unauthenticated attackers to chain these endpoints to manipulate other customers' order payment flows and exfiltrate sensitive order details (payer information, shipping data) by creating a PayPal order for a victim's WC order and then retrieving the PayPal order data.
CVE-2026-1710 Mar 31, 2026
WooPayments 10.5.1: Unauth Setting Update via missing capability check The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings.
Woocommerce
CVE-2025-13457 Jan 10, 2026
Insecure Direct Object Reference in WooCommerce Square Plugin <=5.1.1 The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.
Woocommerce
CVE-2025-12398 Dec 21, 2025
WooCommerce <=5.0.8 Reflected XSS via search_key The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Woocommerce
CVE-2023-7320 Oct 29, 2025
WooCommerce <=7.8.2 Sensitive Info Exposure via Improper CORS The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information).
Woocommerce
CVE-2025-57956 Sep 22, 2025
WooMS 0-9.12 CrossSite Scripting (stored XSS) via wpcraft Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpcraft WooMS allows Stored XSS. This issue affects WooMS: from n/a through 9.12.
Woocommerce
CVE-2025-5062 May 22, 2025
PostMessage-Based XSS in WooCommerce <9.4.3 The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Woocommerce
CVE-2025-32545 Apr 17, 2025
WooCommerce Products CSRF/Reflected XSS for products w/o featured images v<=0.1 Cross-Site Request Forgery (CSRF) vulnerability in SOFTAGON WooCommerce Products without featured images woocommerce-products-without-featured-images allows Reflected XSS.This issue affects WooCommerce Products without featured images: from n/a through <= 0.1.
Woocommerce
CVE-2024-13868 Mar 06, 2025
XSS in WooCommerce WP Plugin 9.0.2: Unsanitized URL Shortener Param The URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin through 9.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Woocommerce
CVE-2023-49817 Dec 09, 2024
Missing Auth in Flexible WooCommerce Checkout Editor v<=2.0.1 Missing Authorization vulnerability in heolixfy Flexible Woocommerce Checkout Field Editor flexible-woocommerce-checkout-field-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flexible Woocommerce Checkout Field Editor: from n/a through <= 2.0.1.
Checkout Field Editor
CVE-2023-49194 Dec 09, 2024
Importify WooCommerce Debug Data Leak <=1.0.4 Insertion of Sensitive Information Into Debugging Code vulnerability in importify Importify (Dropshipping WooCommerce) importify allows Retrieve Embedded Sensitive Data.This issue affects Importify (Dropshipping WooCommerce): from n/a through <= 1.0.4.
Dropshipping
CVE-2024-10567 Dec 04, 2024
TI WooCommerce Wishlist Plugin: Unauthorized Data Modification Vulnerability The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to create new pages, modify plugin settings, and perform limited options updates.
Woocommerce
CVE-2024-10820 Nov 13, 2024
WooCommerce Upload Files Plugin: Arbitrary File Upload Vulnerability The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 84.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Upload Files
CVE-2024-47634 Oct 20, 2024
CartBounty Save & Recover Abandoned Carts for WooCommerce CSRF Prior to 8.2 Cross-Site Request Forgery (CSRF) vulnerability in Streamline CartBounty Save and recover abandoned carts for WooCommerce woo-save-abandoned-carts allows Cross Site Request Forgery.This issue affects CartBounty Save and recover abandoned carts for WooCommerce: from n/a through <= 8.2.
Streamline Lv
CVE-2020-36841 Oct 16, 2024
WooCommerce Smart Coupons Auth Bypass <=4.6.0 Gift Cert Abuse The WooCommerce Smart Coupons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the woocommerce_coupon_admin_init function in versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to send themselves gift certificates of any value, which could be redeemed for products sold on the victims storefront.
Woocommerce Smart Coupons
CVE-2017-20193 Oct 16, 2024
XSS in WooCommerce Product Vendors <=2.0.35 The Product Vendors is vulnerable to Reflected Cross-Site Scripting via the 'vendor_description' parameter in versions up to, and including, 2.0.35 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2024-9944 Oct 15, 2024
WooCommerce HTML Injection 9.0.2 (WP) The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.
Woocommerce
CVE-2023-35049 Jun 19, 2024
WooCommerce Stripe PG Missing Auth, before 7.4.0 Missing Authorization vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.4.0.
Stripe Payment Gateway
CVE-2023-51495 Jun 14, 2024
WooCommerce Warranty Requests <=2.2.7 Missing Auth (CVE-2023-51495) Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from n/a through 2.2.7.
Returns And Warranty Requests
CVE-2023-51496 Jun 14, 2024
WooCommerce Warranty Requests v2.2.7: Missing Auth Vulnerability Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from n/a through 2.2.7.
Returns And Warranty Requests
CVE-2023-51497 Jun 14, 2024
Missing Auth WooCommerce Ship to Multi-Addr (<=3.8.9) Missing Authorization vulnerability in Woo WooCommerce Ship to Multiple Addresses.This issue affects WooCommerce Ship to Multiple Addresses: from n/a through 3.8.9.
Shipping Multiple Addresses
CVE-2024-37297 Jun 12, 2024
WooCommerce 8.8 XSS via Sourcebuster.js in Checkout Forms (before 8.8.5) WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.
Woocommerce
CVE-2023-34003 Jun 09, 2024
Missing Auth in WooCommerce Box Office <=1.1.51 Missing Authorization vulnerability in Woo WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.1.51.
Box Office
CVE-2023-51494 Jun 09, 2024
WooCommerce Product Vendors 2.2.1 No Auth Access Missing Authorization vulnerability in Woo WooCommerce Product Vendors.This issue affects WooCommerce Product Vendors: from n/a through 2.2.1.
Product Vendors
CVE-2024-1310 Apr 15, 2024
WooCommerce WP Plugin 8.6 - Contributor Role Data Leakage The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products)
Woocommerce
CVE-2023-44999 Mar 27, 2024
WooCommerce Stripe Payment GW CSRF VULN before 7.6.0 Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.0.
Stripe Payment Gateway
CVE-2024-24799 Mar 26, 2024
Missing Auth in WooCommerce Box Office (<=1.2.2) Missing Authorization vulnerability in WooCommerce WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.2.2.
Box Office
CVE-2024-27193 Mar 15, 2024
Cross Site Scripting in PayU India <3.8.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PayU India PayU India payu-india allows DOM-Based XSS.This issue affects PayU India: from n/a through <= 3.8.8.
Payu India Payment Gateway
CVE-2022-0775 Jan 16, 2024
WooCommerce <6.2.1 unauthorized review deletion by any authenticated user The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
Woocommerce
CVE-2023-52222 Jan 08, 2024
CSRF in Automattic WooCommerce 8.2.2 Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.
Woocommerce
CVE-2023-32795 Dec 28, 2023
Deserialization of Untrusted Data in WooCommerce Product Add-Ons <=6.1.3 Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3.
Product Addons
CVE-2023-32799 Dec 21, 2023
Auth Bypass via User Controlled Key in WooCommerce Shipping Multi-Addr (3.8.3) Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3.
Shipping Multiple Addresses
CVE-2023-33318 Dec 20, 2023
Unrestricted File Upload in WooCommerce AutomateWoo <=4.9.40 Unrestricted Upload of File with Dangerous Type vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.40.
Automatewoo
CVE-2023-32743 Dec 20, 2023
SQLi in WooCommerce AutomateWoo <=5.7.1 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1.
Automatewoo
CVE-2023-33330 Dec 20, 2023
SQL Injection in WooCommerce AutomateWoo 4.9.50 (AutomateWoo v4.9.50) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.50.
Automatewoo
CVE-2023-32794 Nov 09, 2023
WooCommerce Product AddOns <=6.1.3 CSRF Vulnerability A vulnerability in Woo WooCommerce Product Add-ons woocommerce-product-addons.This issue affects WooCommerce Product Add-ons: from n/a through <= 6.1.3.
Product Addons
CVE-2023-32744 Nov 09, 2023
CVE-2023-32744: CSRF in WooCommerce Product Recommendations <=2.3.0 A vulnerability in Woo WooCommerce Product Recommendations woocommerce-product-recommendations.This issue affects WooCommerce Product Recommendations: from n/a through < 2.3.0.
Product Recommendations
CVE-2023-32745 Nov 09, 2023
CSRF in WooCommerce AutomateWoo plugin <= 5.7.1 A vulnerability in Woo AutomateWoo automatewoo.This issue affects AutomateWoo: from n/a through <= 5.7.1.
Automatewoo
CVE-2023-34004 Aug 30, 2023
WooCommerce Box Office <=1.1.50 Auth XSS Authenticated Contributor+ Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WooCommerce WooCommerce Box Office plugin <= 1.1.50 versions.
Woocommerce Box Office
CVE-2023-33317 Aug 30, 2023
Unauth XSS in WooCommerce Returns & Warranty Requests <=2.1.6 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Returns and Warranty Requests plugin <= 2.1.6 versions.
Returns And Warranty Requests
CVE-2023-32746 Aug 30, 2023
WooCommerce Brands <=1.6.45 Stored XSS Auth+ Vulnerability Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WooCommerce WooCommerce Brands plugin <= 1.6.45 versions.
Woocommerce Brands
CVE-2023-32793 Aug 30, 2023
Stored XSS in WooCommerce Pre-Orders <=2.0.0 (Contributor+) Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WooCommerce WooCommerce Pre-Orders plugin <= 2.0.0 versions.
Woocommerce Pre Orders
CVE-2023-32801 Aug 30, 2023
Unauth Reflected XSS in WooCommerce Composite Plugins <=8.7.5 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Composite Products plugin <= 8.7.5 versions.
Composite Products
CVE-2023-32802 Aug 30, 2023
CVE-2023-32802: Unauth. Reflected XSS in WooCommerce Pre-Orders <=1.9.0 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce WooCommerce Pre-Orders plugin <= 1.9.0 versions.
Woocommerce Pre Orders
CVE-2023-32575 Aug 25, 2023
PI Websolution WP Plugin 1.3.25 XSS: Auth+ Stored XSS in Shipping Calculator Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Product page shipping calculator for WooCommerce plugin <= 1.3.25 versions.
Woocommerce
CVE-2023-37873 Aug 05, 2023
Unauth Reflected XSS in WooCommerce Shipping Multiple Addresses plugin <=3.8.5 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Shipping Multiple Addresses plugin <= 3.8.5 versions.
Shipping Multiple Addresses
CVE-2023-3508 Jul 31, 2023
WooCommerce PreOrders CSRF in <2.0.3 (CVE20233508) The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks
Woocommerce Pre Orders
CVE-2023-3507 Jul 31, 2023
WooCommerce Pre-Orders WP Plugin CSRF in Cancel Pre-Order before 2.0.3 The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack
Woocommerce Pre Orders
CVE-2023-36511 Jul 17, 2023
CSRF Vulnerability in WooCommerce Order Barcodes <=1.6.4 Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Order Barcodes plugin <= 1.6.4 versions.
Woocommerce Order Barcodes
CVE-2023-36513 Jul 17, 2023
WooCommerce AutomateWoo <=5.7.5 CSRF Vulnerability Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce AutomateWoo plugin <= 5.7.5 versions.
Automatewoo
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.