Woocommerce
Approved changes feed: RSS · Atom
cpe:2.3:a:automattic:woocommerce:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Automattic (1dc39c9b-4ddb-5af6-acf4-410b436129a9) |
|---|---|
| Product | Woocommerce (9da57e16-55d4-502c-b24f-e40a2029679a) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-3589 |
vulnerable | 2026-06-03 15:23:33.146134 |
WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Published: 2026-03-06T09:11:10.949Z
Updated: 2026-03-06T17:44:58.613Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-5062 |
vulnerable | 2026-06-03 15:06:26.910647 |
WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting
MEDIUM (6.1)
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-05-22T03:42:08.044Z
Updated: 2026-04-08T17:23:41.731Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-49042 |
vulnerable | 2026-06-03 15:01:43.974410 |
WordPress WooCommerce plugin <= 10.0.2 - Cross Site Scripting (XSS) vulnerability
MEDIUM (5.9)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 10.0.2.
Published: 2025-10-29T04:50:12.507Z
Updated: 2026-04-28T16:12:58.197Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-26762 |
vulnerable | 2026-06-03 15:00:08.407993 |
WordPress WooCommerce plugin <= 9.7.0 - Cross Site Scripting (XSS) vulnerability
MEDIUM (5.9)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 9.7.0.
Published: 2025-03-27T15:52:22.683Z
Updated: 2026-04-28T16:11:40.353Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-15033 |
vulnerable | 2026-06-03 14:58:56.388588 |
WooCommerce - Subscriber/Customer+ Order Data Disclosure
A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.
Published: 2025-12-22T18:57:39.687Z
Updated: 2026-03-06T09:09:36.936Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-9944 |
vulnerable | 2026-06-03 14:58:22.950330 |
WooCommerce <= 9.0.2 - Unauthenticated HTML Injection
MEDIUM (5.3)
The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.
Published: 2024-10-15T05:31:31.921Z
Updated: 2026-04-08T17:17:17.415Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-39666 |
vulnerable | 2026-06-03 14:56:22.139134 |
WordPress WooCommerce plugin <= 9.1.2 - Cross Site Scripting (XSS) vulnerability
MEDIUM (5.9)
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2.
Published: 2024-08-18T13:37:18.254Z
Updated: 2026-04-28T16:10:08.243Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-35777 |
vulnerable | 2026-06-03 14:56:03.043855 |
WordPress WooCommerce plugin <= 8.9.2 - Content Injection vulnerability
LOW (3.5)
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2.
Published: 2024-07-09T09:57:21.810Z
Updated: 2026-04-28T16:09:55.316Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-22155 |
vulnerable | 2026-06-03 14:54:59.885928 |
WordPress WooCommerce plugin <= 8.5.2 - Cross Site Request Forgery (CSRF) vulnerability
MEDIUM (4.3)
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2.
Published: 2024-04-07T17:56:05.844Z
Updated: 2026-04-28T16:09:08.800Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-7320 |
vulnerable | 2026-06-03 14:54:00.433271 |
WooCommerce <= 7.8.2 - Sensitive Information Exposure
MEDIUM (5.3)
The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information).
Published: 2025-10-29T06:45:48.702Z
Updated: 2026-04-08T17:02:27.373Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-52222 |
vulnerable | 2026-06-03 14:53:38.985384 |
WordPress WooCommerce Plugin <= 8.2.2 is vulnerable to Cross Site Request Forgery (CSRF)
MEDIUM (4.3)
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.
Published: 2024-01-08T18:53:05.442Z
Updated: 2026-04-28T16:09:07.249Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2023-47777 |
vulnerable | 2026-06-03 14:53:18.113289 |
WordPress WooCommerce and WooCommerce Blocks plugins - Auth. Cross-Site Scripting (XSS) vulnerability
MEDIUM (6.5)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1.
Published: 2023-11-30T11:56:53.604Z
Updated: 2026-04-28T16:08:51.789Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-24323 |
vulnerable | 2026-06-03 14:43:56.816894 |
Woocommerce < 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled
Published: 2021-05-17T16:48:53.000Z
Updated: 2024-08-03T19:28:23.704Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.