Vulnerabilities > Woocommerce
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-05 | CVE-2021-24212 | Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Help Scout The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp. | 9.8 |
| 2020-12-28 | CVE-2020-35627 | Unrestricted Upload of File with Dangerous Type vulnerability in Woocommerce Gift Cards 3.0.2 Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. | 8.8 |
| 2020-12-27 | CVE-2020-29156 | Authorization Bypass Through User-Controlled Key vulnerability in Woocommerce The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | 5.3 |
| 2020-08-26 | CVE-2020-11497 | Improper Validation of Integrity Check Value vulnerability in Woocommerce NAB Transact 2.1.0 An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. | 7.5 |
| 2020-07-23 | CVE-2019-18834 | Cross-site Scripting vulnerability in Woocommerce Subscriptions Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php. | 6.1 |
| 2020-06-19 | CVE-2019-20891 | Cross-Site Request Forgery (CSRF) vulnerability in Woocommerce WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. | 8.8 |
| 2019-09-17 | CVE-2016-10987 | Cross-site Scripting vulnerability in Woocommerce Persian Woocommerce SMS The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS. | 6.1 |
| 2019-08-29 | CVE-2019-14979 | Improper Input Validation vulnerability in Woocommerce Paypal Checkout Payment Gateway 1.6.17 cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. | 5.3 |
| 2019-08-29 | CVE-2019-14978 | Improper Input Validation vulnerability in Woocommerce Payu India Payment Gateway 2.1.1 /payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price. | 5.3 |
| 2019-03-21 | CVE-2019-7441 | Unspecified vulnerability in Woocommerce Paypal Checkout Payment Gateway 1.6.8 cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. | 6.5 |