WooCommerce 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk open redirect and vendor risk sql injection などに関し、一部は vendor impact data exposure を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-5062 | The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | [email protected] | 6.1 | 0.39% | 2025-05-22 | 2025-09-30 |
| CVE-2024-9944 | The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions. | [email protected] | 5.3 | 0.63% | 2024-10-15 | 2024-10-17 |
| CVE-2023-35049 | Missing Authorization vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.4.0. | [email protected] | 7.5 | 0.49% | 2024-06-19 | 2025-03-10 |
| CVE-2023-51497 | Missing Authorization vulnerability in Woo WooCommerce Ship to Multiple Addresses.This issue affects WooCommerce Ship to Multiple Addresses: from n/a through 3.8.9. | [email protected] | 5.4 | 0.31% | 2024-06-14 | 2024-11-21 |
| CVE-2023-51496 | Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from n/a through 2.2.7. | [email protected] | 5.3 | 0.31% | 2024-06-14 | 2024-11-21 |
| CVE-2023-51495 | Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from n/a through 2.2.7. | [email protected] | 6.5 | 0.36% | 2024-06-14 | 2024-11-21 |
| CVE-2024-37297 | WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and | [email protected] | 5.4 | 0.48% | 2024-06-12 | 2024-11-21 |
| CVE-2023-34003 | Missing Authorization vulnerability in Woo WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.1.51. | [email protected] | 6.5 | 0.35% | 2024-06-09 | 2024-11-21 |
| CVE-2023-51494 | Missing Authorization vulnerability in Woo WooCommerce Product Vendors.This issue affects WooCommerce Product Vendors: from n/a through 2.2.1. | [email protected] | 5.3 | 0.36% | 2024-06-09 | 2024-11-21 |
| CVE-2023-44999 | Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.0. | [email protected] | 5.4 | 0.22% | 2024-03-27 | 2026-04-28 |
| CVE-2024-24799 | Missing Authorization vulnerability in WooCommerce WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.2.2. | [email protected] | 6.5 | 0.50% | 2024-03-26 | 2026-04-28 |
| CVE-2024-27193 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PayU India PayU India payu-india allows DOM-Based XSS.This issue affects PayU India: from n/a through <= 3.8.8. | [email protected] | 7.1 | 0.36% | 2024-03-15 | 2026-04-23 |
| CVE-2022-0775 | The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment | [email protected] | 4.3 | 0.68% | 2024-01-16 | 2025-06-11 |
| CVE-2023-52222 | Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2. | [email protected] | 4.3 | 0.29% | 2024-01-08 | 2026-04-28 |
| CVE-2023-32795 | Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3. | [email protected] | 8.2 | 0.67% | 2023-12-28 | 2026-04-28 |
| CVE-2023-32799 | Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3. | [email protected] | 6.5 | 0.55% | 2023-12-21 | 2026-04-28 |
| CVE-2023-33318 | Unrestricted Upload of File with Dangerous Type vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.40. | [email protected] | 9.9 | 0.81% | 2023-12-20 | 2026-04-28 |
| CVE-2023-33330 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.50. | [email protected] | 8.5 | 0.64% | 2023-12-20 | 2026-04-28 |
| CVE-2023-32743 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1. | [email protected] | 7.6 | 0.61% | 2023-12-20 | 2026-04-28 |
| CVE-2023-32794 | Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Product Add-Ons plugin <= 6.1.3 versions. | [email protected] | 5.4 | 0.30% | 2023-11-09 | 2026-04-28 |