Aggregates CVE and security vulnerability intelligence across all WooCommerce-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk open redirect and vendor risk sql injection and related problems; some flaws may lead to vendor impact data exposure, affecting vendor surface production workloads scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-5062 | The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | [email protected] | 6.1 | 1.57% | 2025-05-22 | 2025-09-30 |
| CVE-2024-9944 | The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions. | [email protected] | 5.3 | 0.72% | 2024-10-15 | 2024-10-17 |
| CVE-2023-35049 | Missing Authorization vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.4.0. | [email protected] | 7.5 | 0.35% | 2024-06-19 | 2025-03-10 |
| CVE-2023-51497 | Missing Authorization vulnerability in Woo WooCommerce Ship to Multiple Addresses.This issue affects WooCommerce Ship to Multiple Addresses: from n/a through 3.8.9. | [email protected] | 5.4 | 0.11% | 2024-06-14 | 2024-11-21 |
| CVE-2023-51496 | Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from n/a through 2.2.7. | [email protected] | 5.3 | 0.21% | 2024-06-14 | 2024-11-21 |
| CVE-2023-51495 | Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from n/a through 2.2.7. | [email protected] | 6.5 | 0.15% | 2024-06-14 | 2024-11-21 |
| CVE-2024-37297 | WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and | [email protected] | 5.4 | 0.97% | 2024-06-12 | 2024-11-21 |
| CVE-2023-34003 | Missing Authorization vulnerability in Woo WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.1.51. | [email protected] | 6.5 | 0.09% | 2024-06-09 | 2024-11-21 |
| CVE-2023-51494 | Missing Authorization vulnerability in Woo WooCommerce Product Vendors.This issue affects WooCommerce Product Vendors: from n/a through 2.2.1. | [email protected] | 5.3 | 0.26% | 2024-06-09 | 2024-11-21 |
| CVE-2023-44999 | Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Stripe Payment Gateway.This issue affects WooCommerce Stripe Payment Gateway: from n/a through 7.6.0. | [email protected] | 5.4 | 0.08% | 2024-03-27 | 2026-04-28 |
| CVE-2024-24799 | Missing Authorization vulnerability in WooCommerce WooCommerce Box Office.This issue affects WooCommerce Box Office: from n/a through 1.2.2. | [email protected] | 6.5 | 0.45% | 2024-03-26 | 2026-04-28 |
| CVE-2024-27193 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PayU India PayU India payu-india allows DOM-Based XSS.This issue affects PayU India: from n/a through <= 3.8.8. | [email protected] | 7.1 | 0.11% | 2024-03-15 | 2026-04-23 |
| CVE-2022-0775 | The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment | [email protected] | 4.3 | 0.34% | 2024-01-16 | 2025-06-11 |
| CVE-2023-52222 | Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2. | [email protected] | 4.3 | 0.14% | 2024-01-08 | 2026-04-28 |
| CVE-2023-32795 | Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3. | [email protected] | 8.2 | 0.17% | 2023-12-28 | 2026-04-28 |
| CVE-2023-32799 | Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3. | [email protected] | 6.5 | 0.26% | 2023-12-21 | 2026-04-28 |
| CVE-2023-33318 | Unrestricted Upload of File with Dangerous Type vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.40. | [email protected] | 9.9 | 0.31% | 2023-12-20 | 2026-04-28 |
| CVE-2023-33330 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.50. | [email protected] | 8.5 | 0.15% | 2023-12-20 | 2026-04-28 |
| CVE-2023-32743 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1. | [email protected] | 7.6 | 0.13% | 2023-12-20 | 2026-04-28 |
| CVE-2023-32794 | Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Product Add-Ons plugin <= 6.1.3 versions. | [email protected] | 5.4 | 0.06% | 2023-11-09 | 2026-04-28 |