Vulnerabilities > Woocommerce > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-05-15 | CVE-2023-2179 | Unspecified vulnerability in Woocommerce Order Status Change Notifier The WooCommerce Order Status Change Notifier WordPress plugin through 1.1.0 does not have authorisation and CSRF when updating status orders via an AJAX action available to any authenticated users, which could allow low privilege users such as subscriber to update arbitrary order status, making them paid without actually paying for them for example | 6.5 |
| 2023-04-30 | CVE-2015-10104 | Open Redirect vulnerability in Woocommerce Icons for Features 1.0.0 A vulnerability, which was classified as problematic, has been found in Icons for Features Plugin 1.0.0 on WordPress. | 6.1 |
| 2022-07-17 | CVE-2022-2099 | Improper Encoding or Escaping of Output vulnerability in Woocommerce The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles | 4.8 |
| 2022-03-14 | CVE-2021-24940 | Cross-site Scripting vulnerability in Woocommerce Persian-Woocommerce The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue | 4.3 |
| 2021-12-06 | CVE-2021-24938 | Cross-site Scripting vulnerability in Woocommerce Currency Switcher The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue | 4.3 |
| 2021-07-26 | CVE-2021-32790 | SQL Injection vulnerability in Woocommerce Woocommerce is an open source eCommerce plugin for WordPress. | 4.0 |
| 2020-12-27 | CVE-2020-29156 | Incorrect Authorization vulnerability in Woocommerce The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | 5.0 |
| 2020-08-26 | CVE-2020-11497 | Improper Validation of Integrity Check Value vulnerability in Woocommerce NAB Transact 2.1.0 An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. | 5.0 |
| 2020-07-23 | CVE-2019-18834 | Cross-site Scripting vulnerability in Woocommerce Subscriptions Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php. | 4.3 |
| 2020-06-19 | CVE-2019-20891 | Cross-Site Request Forgery (CSRF) vulnerability in Woocommerce WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. | 6.8 |