Vulnerabilities > Woocommerce
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-03-14 | CVE-2021-24940 | Cross-site Scripting vulnerability in Woocommerce Persian-Woocommerce The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue | 4.3 |
2021-12-06 | CVE-2021-24938 | Cross-site Scripting vulnerability in Woocommerce Currency Switcher The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue | 4.3 |
2021-07-26 | CVE-2021-32790 | SQL Injection vulnerability in Woocommerce Woocommerce is an open source eCommerce plugin for WordPress. | 4.0 |
2021-05-17 | CVE-2021-24323 | Cross-site Scripting vulnerability in Woocommerce When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled | 3.5 |
2021-04-05 | CVE-2021-24212 | Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Help Scout The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp. | 7.5 |
2021-04-05 | CVE-2021-24171 | Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Upload Files The WooCommerce Upload Files WordPress plugin before 59.4 ran a single sanitization pass to remove blocked extensions such as .php. | 9.8 |
2020-12-28 | CVE-2020-35627 | Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Gift Cards 3.0.2 Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. | 7.5 |
2020-12-27 | CVE-2020-29156 | Incorrect Authorization vulnerability in Woocommerce The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | 5.0 |
2020-08-26 | CVE-2020-11497 | Improper Validation of Integrity Check Value vulnerability in Woocommerce NAB Transact 2.1.0 An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. | 5.0 |
2020-07-23 | CVE-2019-18834 | Cross-site Scripting vulnerability in Woocommerce Subscriptions Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php. | 4.3 |