) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:woocommerce:woocommerce:1.0:*:*:*:*:wordpress:*:*
- CPE Name Search: true
| Vuln ID | Summary | CVSS Severity |
|---|---|---|
| CVE-2022-0775 |
The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment Published: January 16, 2024; 11:15:09 AM -0500 |
V3.1: 4.3 MEDIUM V2.0:(not available) |
| CVE-2023-52222 |
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2. Published: January 08, 2024; 2:15:09 PM -0500 |
V3.1: 8.8 HIGH V2.0:(not available) |
| CVE-2023-32575 |
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Product page shipping calculator for WooCommerce plugin <= 1.3.25 versions. Published: August 25, 2023; 7:15:08 AM -0400 |
V3.1: 4.8 MEDIUM V2.0:(not available) |
| CVE-2022-2099 |
The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles Published: July 17, 2022; 7:15:08 AM -0400 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
| CVE-2021-24323 |
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled Published: May 17, 2021; 1:15:08 PM -0400 |
V3.1: 4.8 MEDIUM V2.0: 3.5 LOW |
| CVE-2020-29156 |
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. Published: December 27, 2020; 2:15:11 PM -0500 |
V3.1: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
| CVE-2019-20891 |
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. Published: June 19, 2020; 5:15:10 PM -0400 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
| CVE-2019-9168 |
WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. Published: February 25, 2019; 7:29:00 PM -0500 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
| CVE-2018-20714 |
The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin. Published: January 15, 2019; 11:29:00 AM -0500 |
V3.0: 8.1 HIGH V2.0: 5.5 MEDIUM |
| CVE-2015-2329 |
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order. Published: February 08, 2018; 6:29:00 PM -0500 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
| CVE-2016-10112 |
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. Published: January 03, 2017; 9:59:03 PM -0500 |
V3.0: 4.8 MEDIUM V2.0: 3.5 LOW |