Woocommerce
Monthly
Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Multisite Sync: from n/a through <= 1.4.4.
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.
Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.
Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13.
Booster for WooCommerce versions prior to 7.11.3 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to exploit misconfigured access controls. This vulnerability could enable attackers to cause service disruptions or access unauthorized functionality within affected WooCommerce installations. No patch is currently available for this vulnerability.
Authorization bypass in Order Cancellation & Returns for WooCommerce plugin (versions ≤1.1.11) allows unauthenticated or low-privileged users to access and manipulate order cancellation and return functionality through user-controlled parameters. The vulnerability stems from improper access control checks that fail to validate user permissions against the requested resource, enabling attackers to operate on orders belonging to other customers without proper authorization. EPSS score of 0.01% indicates low observed exploitation likelihood despite the straightforward attack vector.
Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin version 2.2.0 and earlier allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users through forged requests. The vulnerability affects the WordPress plugin used to enable live shopping and shoppable video streams in WooCommerce stores. No public exploit code has been identified, and the EPSS score of 0.02% indicates low exploitation probability despite the CSRF attack vector.
The Efí Bank Gerencianet Oficial WordPress plugin through version 3.1.3 exposes sensitive data by embedding it into sent HTTP requests or responses, allowing attackers to retrieve payment-related information without authentication. This information disclosure vulnerability (CWE-201) affects all installations of the affected plugin versions and is classified as low-risk based on EPSS score (0.04%, 12th percentile), with no public exploit code or active exploitation confirmed.
Orders Chat for WooCommerce plugin versions up to 1.2.0 fail to properly enforce access controls on chat functionality, allowing attackers to bypass authentication checks and access or manipulate order chat data through incorrectly configured security levels. This broken access control vulnerability (CWE-862) affects WordPress installations using the vulnerable plugin, with no public exploit code identified but confirmed exploitability of authorization bypass mechanics. EPSS probability is low at 0.04%, suggesting limited real-world exploitation likelihood despite the authorization flaw.
Broken access control in Vollstart Serial Codes Generator and Validator with WooCommerce Support plugin through version 2.8.2 allows unauthenticated attackers to exploit misconfigured security levels and bypass authorization checks to access or manipulate serial code functionality. The vulnerability stems from missing authorization validation on security-sensitive operations, enabling attackers to perform actions without proper privilege verification. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.05%) suggests limited real-world exploitation probability despite the access control weakness.
Missing authorization in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin (versions up to 2.2.0) allows unauthenticated or low-privilege users to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862) where endpoint-level authorization checks are insufficient or absent, potentially allowing attackers to bypass intended security restrictions on sensitive functionality. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability at time of analysis.
DOM-based cross-site scripting (XSS) in WooCommerce Parcelas WordPress plugin versions up to 1.3.5 allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While EPSS scoring indicates low exploitation probability (0.01%), the DOM-based nature and lack of authentication barriers make this a persistent client-side threat in environments where the vulnerable plugin remains deployed.
DOM-based cross-site scripting (XSS) in Genetech Products Web and WooCommerce Addons for WPBakery Builder (vc-addons-by-bit14) plugin versions up to 1.5 allows unauthenticated attackers to inject malicious scripts that execute in the context of affected user sessions. The vulnerability stems from improper neutralization of user-supplied input during web page generation. EPSS scoring (0.01%, percentile 3%) indicates very low real-world exploitation probability despite the nature of the flaw, and no public exploit code or active exploitation has been confirmed.
Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.
Missing authorization in WCFM - Frontend Manager for WooCommerce through version 6.7.24 allows authenticated users with limited privileges to bypass access controls via incorrectly configured security levels, enabling read-only disclosure of sensitive information. The vulnerability requires user interaction and has a low EPSS score (0.03%, 10th percentile), indicating minimal real-world exploitation probability despite the authentication requirement.
Missing authorization in Easy Payment Payment Gateway for PayPal (woo-paypal-gateway) WordPress plugin versions up to 9.0.53 allows unauthenticated remote attackers to access sensitive payment gateway data through improper access control configuration. The vulnerability enables unauthorized information disclosure with low confidentiality impact. EPSS score of 0.04% indicates minimal observed exploitation probability despite network accessibility and no authentication requirement.
Paysera WooCommerce Payment Gateway plugin through version 3.10.0 contains a missing authorization flaw allowing authenticated users with lower privilege levels to access or perform actions intended for higher-privilege roles, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control checks and has an EPSS score of 0.04% (11th percentile), indicating low real-world exploitation probability despite the CVSS 4.3 rating and authenticated attack vector.
Missing authorization in Eupago Gateway For Woocommerce allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting versions up to 4.7.1. The vulnerability enables integrity compromise without requiring authentication or user interaction, though with low attack complexity. EPSS scoring of 0.04% indicates minimal real-world exploitation probability despite moderate CVSS severity.
Stored XSS in Premmerce Product Search for WooCommerce through version 2.2.5 allows high-privilege authenticated users to inject malicious scripts that execute in the context of other users' browsers, affecting website visitors and administrators. The vulnerability requires user interaction (page view) to trigger payload execution and has low EPSS exploitation probability (0.02%), indicating minimal real-world risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) vulnerability in Automattic WooCommerce through version 10.0.2 allows attackers to inject malicious scripts that persist in the application and execute in the browsers of other users. The vulnerability stems from improper input neutralization during web page generation, enabling authenticated or lower-privileged users to compromise the integrity of the WooCommerce storefront and potentially steal customer data or perform actions on behalf of administrators.
Missing authorization controls in the Open Close WooCommerce Store plugin (versions ≤4.9.9) allow authenticated low-privileged users to bypass access restrictions and perform unauthorized high-impact operations, potentially modifying store configuration or accessing sensitive data. With CVSS 8.1 (High severity) but only 0.03% EPSS (9th percentile), this represents a significant vulnerability for affected WordPress/WooCommerce sites, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The authentication requirement (PR:L) substantially limits attack surface compared to unauthenticated vulnerabilities.
Broken access control in Conversios.io WooCommerce analytics plugin (versions ≤7.2.13) allows authenticated low-privilege users to access or modify high-sensitivity data without proper authorization checks. The vulnerability enables privilege escalation where any authenticated user can bypass intended access restrictions to read confidential information or alter plugin settings/data. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation probability; no public exploit identified at time of analysis.
Stored cross-site scripting (XSS) in WPClever WPC Smart Messages for WooCommerce plugin versions up to 4.2.8 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity through script injection, with a CVSS score of 5.4 reflecting moderate risk; however, the 0.02% EPSS score indicates minimal real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.
Reflected cross-site scripting in Robokassa Payment Gateway for WooCommerce plugin (versions ≤1.8.5) allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability enables changed-scope attacks where attackers can steal session tokens, perform unauthorized actions, or redirect victims to malicious sites through crafted URLs. No public exploit identified at time of analysis, with EPSS score of 0.03% indicating minimal observed exploitation activity.
SQL injection vulnerability in ELEX WooCommerce Advanced Bulk Edit Products plugin allows authenticated attackers to execute arbitrary SQL commands through unvalidated input in versions up to 1.4.9. The vulnerability requires subscriber-level or higher WordPress user privileges and carries low exploitation probability (EPSS 0.05%) despite its critical nature, suggesting limited practical attack incentive or complexity factors currently limiting real-world abuse.
Missing authorization controls in WPFactory's Product XML Feed Manager for WooCommerce through version 2.9.2 allow attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive product feed data or enabling unauthorized administrative actions. The vulnerability affects all versions up to and including 2.9.2, with no publicly available exploit code identified at time of analysis, and an EPSS score of 0.07% indicating very low real-world exploitation probability despite the authorization defect.
Unrestricted file upload vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce through version 1.2.3 allows attackers to upload web shells to the server, enabling remote code execution. The plugin fails to properly validate uploaded file types, permitting dangerous executable files to be stored in web-accessible directories. No CVSS score or public exploit code has been published; however, the low EPSS score (0.11%, 29th percentile) suggests minimal exploitation probability despite the high intrinsic severity of arbitrary file upload to WordPress environments.
Cross-site request forgery in WP Swings Wallet System for WooCommerce plugin through version 2.6.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious web pages. The vulnerability affects all installations of the plugin up to and including version 2.6.7, with no public exploit code identified at time of analysis, though the low EPSS score (0.02%) suggests minimal real-world exploitation likelihood despite the straightforward attack mechanism.
Cross-Site Request Forgery (CSRF) vulnerability in WesternDeal WooCommerce Google Sheet Connector plugin versions up to 1.3.20 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress administrators. The plugin fails to implement proper CSRF token validation on critical functionality, enabling attackers to craft malicious requests that execute actions without explicit user consent. Although EPSS scoring indicates low exploitation probability (0.02%), CSRF vulnerabilities targeting WordPress admin functions represent a meaningful risk in multi-admin environments where social engineering can trick administrators into visiting attacker-controlled pages.
A remote code execution vulnerability in themelocation Change Cart button Colors WooCommerce allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.
SQL injection vulnerability in WpExperts Hub's Woocommerce Partial Shipment plugin (versions up to 3.2) that allows authenticated attackers with low privileges to execute arbitrary SQL queries. The vulnerability has a CVSS score of 8.5 (High) with network accessibility and low attack complexity, enabling attackers to read sensitive database information and potentially disrupt service availability. The attack requires valid user credentials but no special interaction, making it a significant risk for multi-user WordPress/WooCommerce installations.
Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.
Missing Authorization (CWE-862) vulnerability in WP Swings Membership For WooCommerce that allows unauthenticated attackers to access functionality not properly constrained by Access Control Lists (ACLs). The vulnerability affects versions up to and including 2.8.1 of this WordPress/WooCommerce plugin, enabling unauthorized users to bypass membership restrictions and potentially access premium features or sensitive membership data without valid credentials. With a CVSS score of 7.5 and a network-accessible attack vector requiring no privileges or user interaction, this represents a significant exposure risk for e-commerce sites relying on this plugin for membership management.
Reflected Cross-Site Scripting (XSS) vulnerability in the WC MyParcel Belgium WordPress plugin (versions 4.5.5 through beta) that allows unauthenticated attackers to inject arbitrary JavaScript into web pages viewed by users. An attacker can craft a malicious URL to execute scripts in a victim's browser within the context of the affected website, potentially stealing session cookies, performing unauthorized actions, or redirecting users to phishing sites. The CVSS 7.1 score reflects moderate severity with network-based attack vector, no privilege requirements, and user interaction dependency; active exploitation status and POC availability are currently unknown from public sources.
CVE-2025-48129 is an Incorrect Privilege Assignment vulnerability (CWE-266) in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin that allows unauthenticated remote attackers to escalate privileges and gain complete control over affected WordPress installations. The vulnerability affects versions up to and including 2.4.37, with a critical CVSS 9.8 score indicating network-exploitable, low-complexity privilege escalation requiring no authentication or user interaction. Active exploitation status and proof-of-concept availability would significantly elevate real-world risk given the plugin's direct access to WooCommerce/WP E-commerce price modification functionality.
A remote code execution vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce allows SQL Injection (CVSS 9.3). Risk factors: EPSS 32% exploitation probability.
Missing Authorization vulnerability in Fahad Mahmood's Stock Locations for WooCommerce plugin (versions up to 2.8.6) that allows authenticated users with low privileges to perform unauthorized actions including information disclosure and availability disruption. An attacker with basic user credentials can bypass access controls to modify stock locations or trigger denial-of-service conditions due to improper privilege verification. This vulnerability has a CVSS score of 7.1 (High) and affects WooCommerce installations using the vulnerable plugin; KEV status and active exploitation data are not currently confirmed in public advisories.
A remote code execution vulnerability in snstheme Valen - Sport (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Blind SQL Injection vulnerability in the TicketBAI Facturas para WooCommerce plugin (versions up to 3.19) that allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has a critical CVSS score of 9.3 with network-based attack vector requiring no privileges or user interaction, potentially enabling data exfiltration from WordPress database instances. Active exploitation status and proof-of-concept availability should be verified through KEV databases and security research channels.
A remote code execution vulnerability in snstheme BodyCenter - Gym (CVSS 8.1). High severity vulnerability requiring prompt remediation.
CVE-2025-49315 is an SQL injection vulnerability in PersianScript's Persian Woocommerce SMS plugin affecting versions up to 7.0.10. An authenticated attacker with high privileges (administrator or above) can inject arbitrary SQL commands to read sensitive database information and cause denial of service. While the CVSS score is 7.6 (high), the requirement for elevated privileges (PR:H) and lack of integrity impact limit real-world exploitability, though the cross-site scope elevation and confirmed existence of this vulnerability class in WordPress plugins warrant immediate patching.
Blind SQL injection vulnerability in WC Vendors Marketplace plugin versions through 2.5.6 that allows authenticated attackers with high privileges (administrator or vendor) to extract sensitive database information without direct output visibility. The vulnerability has a CVSS score of 7.6 with high confidentiality impact, though integrity is not compromised and availability impact is low. No publicly available exploit code or active exploitation has been confirmed at this time, but the attack requires only network access and high privilege authentication.
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in Mulika Team MIPL WC Multisite Sync mipl-wc-multisite-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MIPL WC Multisite Sync: from n/a through <= 1.4.4.
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through <= 4.3.3.
Server-Side Request Forgery (SSRF) vulnerability in Global Payments GlobalPayments WooCommerce global-payments-woocommerce allows Server Side Request Forgery.This issue affects GlobalPayments WooCommerce: from n/a through <= 1.18.0.
Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13.
Booster for WooCommerce versions prior to 7.11.3 contain an authorization bypass vulnerability that allows unauthenticated remote attackers to exploit misconfigured access controls. This vulnerability could enable attackers to cause service disruptions or access unauthorized functionality within affected WooCommerce installations. No patch is currently available for this vulnerability.
Authorization bypass in Order Cancellation & Returns for WooCommerce plugin (versions ≤1.1.11) allows unauthenticated or low-privileged users to access and manipulate order cancellation and return functionality through user-controlled parameters. The vulnerability stems from improper access control checks that fail to validate user permissions against the requested resource, enabling attackers to operate on orders belonging to other customers without proper authorization. EPSS score of 0.01% indicates low observed exploitation likelihood despite the straightforward attack vector.
Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin version 2.2.0 and earlier allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users through forged requests. The vulnerability affects the WordPress plugin used to enable live shopping and shoppable video streams in WooCommerce stores. No public exploit code has been identified, and the EPSS score of 0.02% indicates low exploitation probability despite the CSRF attack vector.
The Efí Bank Gerencianet Oficial WordPress plugin through version 3.1.3 exposes sensitive data by embedding it into sent HTTP requests or responses, allowing attackers to retrieve payment-related information without authentication. This information disclosure vulnerability (CWE-201) affects all installations of the affected plugin versions and is classified as low-risk based on EPSS score (0.04%, 12th percentile), with no public exploit code or active exploitation confirmed.
Orders Chat for WooCommerce plugin versions up to 1.2.0 fail to properly enforce access controls on chat functionality, allowing attackers to bypass authentication checks and access or manipulate order chat data through incorrectly configured security levels. This broken access control vulnerability (CWE-862) affects WordPress installations using the vulnerable plugin, with no public exploit code identified but confirmed exploitability of authorization bypass mechanics. EPSS probability is low at 0.04%, suggesting limited real-world exploitation likelihood despite the authorization flaw.
Broken access control in Vollstart Serial Codes Generator and Validator with WooCommerce Support plugin through version 2.8.2 allows unauthenticated attackers to exploit misconfigured security levels and bypass authorization checks to access or manipulate serial code functionality. The vulnerability stems from missing authorization validation on security-sensitive operations, enabling attackers to perform actions without proper privilege verification. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.05%) suggests limited real-world exploitation probability despite the access control weakness.
Missing authorization in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin (versions up to 2.2.0) allows unauthenticated or low-privilege users to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862) where endpoint-level authorization checks are insufficient or absent, potentially allowing attackers to bypass intended security restrictions on sensitive functionality. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability at time of analysis.
DOM-based cross-site scripting (XSS) in WooCommerce Parcelas WordPress plugin versions up to 1.3.5 allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While EPSS scoring indicates low exploitation probability (0.01%), the DOM-based nature and lack of authentication barriers make this a persistent client-side threat in environments where the vulnerable plugin remains deployed.
DOM-based cross-site scripting (XSS) in Genetech Products Web and WooCommerce Addons for WPBakery Builder (vc-addons-by-bit14) plugin versions up to 1.5 allows unauthenticated attackers to inject malicious scripts that execute in the context of affected user sessions. The vulnerability stems from improper neutralization of user-supplied input during web page generation. EPSS scoring (0.01%, percentile 3%) indicates very low real-world exploitation probability despite the nature of the flaw, and no public exploit code or active exploitation has been confirmed.
Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.
Missing authorization in WCFM - Frontend Manager for WooCommerce through version 6.7.24 allows authenticated users with limited privileges to bypass access controls via incorrectly configured security levels, enabling read-only disclosure of sensitive information. The vulnerability requires user interaction and has a low EPSS score (0.03%, 10th percentile), indicating minimal real-world exploitation probability despite the authentication requirement.
Missing authorization in Easy Payment Payment Gateway for PayPal (woo-paypal-gateway) WordPress plugin versions up to 9.0.53 allows unauthenticated remote attackers to access sensitive payment gateway data through improper access control configuration. The vulnerability enables unauthorized information disclosure with low confidentiality impact. EPSS score of 0.04% indicates minimal observed exploitation probability despite network accessibility and no authentication requirement.
Paysera WooCommerce Payment Gateway plugin through version 3.10.0 contains a missing authorization flaw allowing authenticated users with lower privilege levels to access or perform actions intended for higher-privilege roles, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control checks and has an EPSS score of 0.04% (11th percentile), indicating low real-world exploitation probability despite the CVSS 4.3 rating and authenticated attack vector.
Missing authorization in Eupago Gateway For Woocommerce allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting versions up to 4.7.1. The vulnerability enables integrity compromise without requiring authentication or user interaction, though with low attack complexity. EPSS scoring of 0.04% indicates minimal real-world exploitation probability despite moderate CVSS severity.
Stored XSS in Premmerce Product Search for WooCommerce through version 2.2.5 allows high-privilege authenticated users to inject malicious scripts that execute in the context of other users' browsers, affecting website visitors and administrators. The vulnerability requires user interaction (page view) to trigger payload execution and has low EPSS exploitation probability (0.02%), indicating minimal real-world risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed.
Stored cross-site scripting (XSS) vulnerability in Automattic WooCommerce through version 10.0.2 allows attackers to inject malicious scripts that persist in the application and execute in the browsers of other users. The vulnerability stems from improper input neutralization during web page generation, enabling authenticated or lower-privileged users to compromise the integrity of the WooCommerce storefront and potentially steal customer data or perform actions on behalf of administrators.
Missing authorization controls in the Open Close WooCommerce Store plugin (versions ≤4.9.9) allow authenticated low-privileged users to bypass access restrictions and perform unauthorized high-impact operations, potentially modifying store configuration or accessing sensitive data. With CVSS 8.1 (High severity) but only 0.03% EPSS (9th percentile), this represents a significant vulnerability for affected WordPress/WooCommerce sites, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The authentication requirement (PR:L) substantially limits attack surface compared to unauthenticated vulnerabilities.
Broken access control in Conversios.io WooCommerce analytics plugin (versions ≤7.2.13) allows authenticated low-privilege users to access or modify high-sensitivity data without proper authorization checks. The vulnerability enables privilege escalation where any authenticated user can bypass intended access restrictions to read confidential information or alter plugin settings/data. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation probability; no public exploit identified at time of analysis.
Stored cross-site scripting (XSS) in WPClever WPC Smart Messages for WooCommerce plugin versions up to 4.2.8 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity through script injection, with a CVSS score of 5.4 reflecting moderate risk; however, the 0.02% EPSS score indicates minimal real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.
Reflected cross-site scripting in Robokassa Payment Gateway for WooCommerce plugin (versions ≤1.8.5) allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability enables changed-scope attacks where attackers can steal session tokens, perform unauthorized actions, or redirect victims to malicious sites through crafted URLs. No public exploit identified at time of analysis, with EPSS score of 0.03% indicating minimal observed exploitation activity.
SQL injection vulnerability in ELEX WooCommerce Advanced Bulk Edit Products plugin allows authenticated attackers to execute arbitrary SQL commands through unvalidated input in versions up to 1.4.9. The vulnerability requires subscriber-level or higher WordPress user privileges and carries low exploitation probability (EPSS 0.05%) despite its critical nature, suggesting limited practical attack incentive or complexity factors currently limiting real-world abuse.
Missing authorization controls in WPFactory's Product XML Feed Manager for WooCommerce through version 2.9.2 allow attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive product feed data or enabling unauthorized administrative actions. The vulnerability affects all versions up to and including 2.9.2, with no publicly available exploit code identified at time of analysis, and an EPSS score of 0.07% indicating very low real-world exploitation probability despite the authorization defect.
Unrestricted file upload vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce through version 1.2.3 allows attackers to upload web shells to the server, enabling remote code execution. The plugin fails to properly validate uploaded file types, permitting dangerous executable files to be stored in web-accessible directories. No CVSS score or public exploit code has been published; however, the low EPSS score (0.11%, 29th percentile) suggests minimal exploitation probability despite the high intrinsic severity of arbitrary file upload to WordPress environments.
Cross-site request forgery in WP Swings Wallet System for WooCommerce plugin through version 2.6.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious web pages. The vulnerability affects all installations of the plugin up to and including version 2.6.7, with no public exploit code identified at time of analysis, though the low EPSS score (0.02%) suggests minimal real-world exploitation likelihood despite the straightforward attack mechanism.
Cross-Site Request Forgery (CSRF) vulnerability in WesternDeal WooCommerce Google Sheet Connector plugin versions up to 1.3.20 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress administrators. The plugin fails to implement proper CSRF token validation on critical functionality, enabling attackers to craft malicious requests that execute actions without explicit user consent. Although EPSS scoring indicates low exploitation probability (0.02%), CSRF vulnerabilities targeting WordPress admin functions represent a meaningful risk in multi-admin environments where social engineering can trick administrators into visiting attacker-controlled pages.
A remote code execution vulnerability in themelocation Change Cart button Colors WooCommerce allows Stored XSS (CVSS 7.1). High severity vulnerability requiring prompt remediation.
SQL injection vulnerability in WpExperts Hub's Woocommerce Partial Shipment plugin (versions up to 3.2) that allows authenticated attackers with low privileges to execute arbitrary SQL queries. The vulnerability has a CVSS score of 8.5 (High) with network accessibility and low attack complexity, enabling attackers to read sensitive database information and potentially disrupt service availability. The attack requires valid user credentials but no special interaction, making it a significant risk for multi-user WordPress/WooCommerce installations.
Critical deserialization of untrusted data vulnerability in the yuliaz Rapyd Payment Extension for WooCommerce (versions through 1.2.0) that allows unauthenticated remote attackers to perform object injection attacks. The vulnerability has a CVSS score of 9.8 with network-accessible attack vector and no authentication required, meaning any internet-connected attacker can exploit this without user interaction. If actively exploited or proof-of-concept code is available, this represents an immediate risk to all unpatched WooCommerce installations using this payment plugin.
Missing Authorization (CWE-862) vulnerability in WP Swings Membership For WooCommerce that allows unauthenticated attackers to access functionality not properly constrained by Access Control Lists (ACLs). The vulnerability affects versions up to and including 2.8.1 of this WordPress/WooCommerce plugin, enabling unauthorized users to bypass membership restrictions and potentially access premium features or sensitive membership data without valid credentials. With a CVSS score of 7.5 and a network-accessible attack vector requiring no privileges or user interaction, this represents a significant exposure risk for e-commerce sites relying on this plugin for membership management.
Reflected Cross-Site Scripting (XSS) vulnerability in the WC MyParcel Belgium WordPress plugin (versions 4.5.5 through beta) that allows unauthenticated attackers to inject arbitrary JavaScript into web pages viewed by users. An attacker can craft a malicious URL to execute scripts in a victim's browser within the context of the affected website, potentially stealing session cookies, performing unauthorized actions, or redirecting users to phishing sites. The CVSS 7.1 score reflects moderate severity with network-based attack vector, no privilege requirements, and user interaction dependency; active exploitation status and POC availability are currently unknown from public sources.
CVE-2025-48129 is an Incorrect Privilege Assignment vulnerability (CWE-266) in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin that allows unauthenticated remote attackers to escalate privileges and gain complete control over affected WordPress installations. The vulnerability affects versions up to and including 2.4.37, with a critical CVSS 9.8 score indicating network-exploitable, low-complexity privilege escalation requiring no authentication or user interaction. Active exploitation status and proof-of-concept availability would significantly elevate real-world risk given the plugin's direct access to WooCommerce/WP E-commerce price modification functionality.
A remote code execution vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce allows SQL Injection (CVSS 9.3). Risk factors: EPSS 32% exploitation probability.
Missing Authorization vulnerability in Fahad Mahmood's Stock Locations for WooCommerce plugin (versions up to 2.8.6) that allows authenticated users with low privileges to perform unauthorized actions including information disclosure and availability disruption. An attacker with basic user credentials can bypass access controls to modify stock locations or trigger denial-of-service conditions due to improper privilege verification. This vulnerability has a CVSS score of 7.1 (High) and affects WooCommerce installations using the vulnerable plugin; KEV status and active exploitation data are not currently confirmed in public advisories.
A remote code execution vulnerability in snstheme Valen - Sport (CVSS 8.1). High severity vulnerability requiring prompt remediation.
Blind SQL Injection vulnerability in the TicketBAI Facturas para WooCommerce plugin (versions up to 3.19) that allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has a critical CVSS score of 9.3 with network-based attack vector requiring no privileges or user interaction, potentially enabling data exfiltration from WordPress database instances. Active exploitation status and proof-of-concept availability should be verified through KEV databases and security research channels.
A remote code execution vulnerability in snstheme BodyCenter - Gym (CVSS 8.1). High severity vulnerability requiring prompt remediation.
CVE-2025-49315 is an SQL injection vulnerability in PersianScript's Persian Woocommerce SMS plugin affecting versions up to 7.0.10. An authenticated attacker with high privileges (administrator or above) can inject arbitrary SQL commands to read sensitive database information and cause denial of service. While the CVSS score is 7.6 (high), the requirement for elevated privileges (PR:H) and lack of integrity impact limit real-world exploitability, though the cross-site scope elevation and confirmed existence of this vulnerability class in WordPress plugins warrant immediate patching.
Blind SQL injection vulnerability in WC Vendors Marketplace plugin versions through 2.5.6 that allows authenticated attackers with high privileges (administrator or vendor) to extract sensitive database information without direct output visibility. The vulnerability has a CVSS score of 7.6 with high confidentiality impact, though integrity is not compromised and availability impact is low. No publicly available exploit code or active exploitation has been confirmed at this time, but the attack requires only network access and high privilege authentication.
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.