Total
9 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2099 | 1 Woocommerce | 1 Woocommerce | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles | |||||
| CVE-2021-32790 | 1 Woocommerce | 1 Woocommerce | 2021-08-04 | 4.0 MEDIUM | 4.9 MEDIUM |
| Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading. | |||||
| CVE-2020-29156 | 1 Woocommerce | 1 Woocommerce | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | |||||
| CVE-2021-24323 | 1 Woocommerce | 1 Woocommerce | 2021-05-24 | 3.5 LOW | 4.8 MEDIUM |
| When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled | |||||
| CVE-2019-20891 | 1 Woocommerce | 1 Woocommerce | 2020-06-25 | 6.8 MEDIUM | 8.8 HIGH |
| WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. | |||||
| CVE-2018-20714 | 1 Woocommerce | 1 Woocommerce | 2019-10-02 | 5.5 MEDIUM | 8.1 HIGH |
| The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin. | |||||
| CVE-2019-9168 | 1 Woocommerce | 1 Woocommerce | 2019-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. | |||||
| CVE-2015-2329 | 1 Woocommerce | 1 Woocommerce | 2018-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order. | |||||
| CVE-2016-10112 | 1 Woocommerce | 1 Woocommerce | 2017-01-12 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. | |||||