Vulnerabilities > Woocommerce

DATE CVE VULNERABILITY TITLE RISK
2021-07-26 CVE-2021-32790 SQL Injection vulnerability in Woocommerce
Woocommerce is an open source eCommerce plugin for WordPress.
network
low complexity
woocommerce CWE-89
4.0
2021-05-17 CVE-2021-24323 Cross-site Scripting vulnerability in Woocommerce
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled
3.5
2021-04-05 CVE-2021-24212 Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Help Scout
The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp.
network
low complexity
woocommerce CWE-434
7.5
2021-04-05 CVE-2021-24171 Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Upload Files
The WooCommerce Upload Files WordPress plugin before 59.4 ran a single sanitization pass to remove blocked extensions such as .php.
network
low complexity
woocommerce CWE-434
7.5
2020-12-28 CVE-2020-35627 Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Gift Cards 3.0.2
Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code.
network
low complexity
woocommerce CWE-434
7.5
2020-12-27 CVE-2020-29156 Incorrect Authorization vulnerability in Woocommerce
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
network
low complexity
woocommerce CWE-863
5.0
2020-08-26 CVE-2020-11497 Improper Validation of Integrity Check Value vulnerability in Woocommerce NAB Transact 2.1.0
An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress.
network
low complexity
woocommerce CWE-354
5.0
2020-07-23 CVE-2019-18834 Cross-site Scripting vulnerability in Woocommerce Subscriptions
Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php.
4.3
2020-06-19 CVE-2019-20891 Cross-Site Request Forgery (CSRF) vulnerability in Woocommerce
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.
6.8
2019-09-17 CVE-2016-10987 Cross-site Scripting vulnerability in Woocommerce Persian Woocommerce SMS
The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS.
4.3