Woocommerce

WooPayments 10.5.1: Unauth Setting Update via missing capability check
CVE-2026-1710 6.5 - Medium - March 31, 2026

The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings.

AuthZ

Insecure Direct Object Reference in WooCommerce Square Plugin <=5.1.1
CVE-2025-13457 7.5 - High - January 10, 2026

The WooCommerce Square plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.1 via the get_token_by_id function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to expose arbitrary Square "ccof" (credit card on file) values and leverage this value to potentially make fraudulent charges on the target site.

Insecure Direct Object Reference / IDOR

WooCommerce <=5.0.8 Reflected XSS via search_key
CVE-2025-12398 6.1 - Medium - December 21, 2025

The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

XSS

WooCommerce <=7.8.2 Sensitive Info Exposure via Improper CORS
CVE-2023-7320 5.3 - Medium - October 29, 2025

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information).

Information Disclosure

WooMS 0-9.12 CrossSite Scripting (stored XSS) via wpcraft
CVE-2025-57956 5.9 - Medium - September 22, 2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpcraft WooMS allows Stored XSS. This issue affects WooMS: from n/a through 9.12.

XSS

PostMessage-Based XSS in WooCommerce <9.4.3
CVE-2025-5062 6.1 - Medium - May 22, 2025

The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

XSS

WooCommerce Products CSRF/Reflected XSS for products w/o featured images v<=0.1
CVE-2025-32545 7.1 - High - April 17, 2025

Cross-Site Request Forgery (CSRF) vulnerability in SOFTAGON WooCommerce Products without featured images woocommerce-products-without-featured-images allows Reflected XSS.This issue affects WooCommerce Products without featured images: from n/a through <= 0.1.

Session Riding

XSS in WooCommerce WP Plugin 9.0.2: Unsanitized URL Shortener Param
CVE-2024-13868 - March 06, 2025

The URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin through 9.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

TI WooCommerce Wishlist Plugin: Unauthorized Data Modification Vulnerability
CVE-2024-10567 7.5 - High - December 04, 2024

The TI WooCommerce Wishlist plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wizard' function in all versions up to, and including, 2.9.1. This makes it possible for unauthenticated attackers to create new pages, modify plugin settings, and perform limited options updates.

AuthZ

WooCommerce HTML Injection 9.0.2 (WP)
CVE-2024-9944 6.1 - Medium - October 15, 2024

The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.

XSS

WooCommerce 8.8 XSS via Sourcebuster.js in Checkout Forms (before 8.8.5)
CVE-2024-37297 5.4 - Medium - June 12, 2024

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.

XSS

WooCommerce WP Plugin 8.6 - Contributor Role Data Leakage
CVE-2024-1310 - April 15, 2024

The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g. private, draft and trashed products)

WooCommerce <6.2.1 unauthorized review deletion by any authenticated user
CVE-2022-0775 4.3 - Medium - January 16, 2024

The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment

AuthZ

CSRF in Automattic WooCommerce 8.2.2
CVE-2023-52222 8.8 - High - January 08, 2024

Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.

Session Riding

PI Websolution WP Plugin 1.3.25 XSS: Auth+ Stored XSS in Shipping Calculator
CVE-2023-32575 4.8 - Medium - August 25, 2023

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Product page shipping calculator for WooCommerce plugin <= 1.3.25 versions.

XSS

WooCommerce PI Websolution XSS before 2.1.48
CVE-2023-28988 5.9 - Medium - June 26, 2023

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Direct checkout, Add to cart redirect, Quick purchase button, Buy now button, Quick View button for WooCommerce plugin <= 2.1.48 versions.

XSS

WooCommerce email auth bypass pre3.5.0 via random token
CVE-2023-2781 8.1 - High - June 03, 2023

The User Email Verification for WooCommerce plugin for WordPress is vulnerable to authentication bypass via authenticate_user_by_email in versions up to, and including, 3.5.0. This is due to a random token generation weakness in the resend_verification_email function. This allows unauthenticated attackers to impersonate users and trigger an email address verification for arbitrary accounts, including administrative accounts, and automatically be logged in as that user, including any site administrators. This requires the Allow Automatic Login After Successful Verification setting to be enabled, which it is not by default.

Authentication Bypass Using an Alternate Path or Channel

The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles
CVE-2022-2099 4.8 - Medium - July 17, 2022

The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles

Output Sanitization

Woocommerce is an open source eCommerce plugin for WordPress
CVE-2021-32790 4.9 - Medium - July 26, 2021

Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.

SQL Injection

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard
CVE-2021-24323 4.8 - Medium - May 17, 2021

When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled

XSS

The WooCommerce plugin before 4.7.0 for WordPress
CVE-2020-29156 5.3 - Medium - December 27, 2020

The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.

AuthZ

WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS)
CVE-2019-20891 - June 19, 2020

WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.

WooCommerce before 3.5.5
CVE-2019-9168 - February 26, 2019

WooCommerce before 3.5.5 allows XSS via a Photoswipe caption.

In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account
CVE-2017-18356 - January 15, 2019

In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.

The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability
CVE-2018-20714 - January 15, 2019

The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin.