Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

WooCommerce — Vulnerabilities & Security Advisories 47

Browse all 47 CVE security advisories affecting WooCommerce. AI-powered Chinese analysis, POCs, and references for each vulnerability.

WooCommerce is an open-source e-commerce plugin for WordPress, enabling merchants to build and manage online stores. Its widespread adoption has made it a frequent target for attackers, resulting in 47 recorded Common Vulnerabilities and Exposures. Historically, the software has been susceptible to critical flaw classes, including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and Privilege Escalation. These vulnerabilities often stem from insufficient input validation or improper access controls within the plugin’s codebase. While the project maintains an active security team that regularly issues patches, the sheer volume of installed instances creates a large attack surface. Notable incidents have involved compromised admin accounts and data exfiltration, highlighting the risks associated with outdated versions. Users are strongly advised to keep the software updated to mitigate these persistent threats and ensure transactional integrity.

Top products by WooCommerce: AutomateWoo WooCommerce Stripe Payment Gateway Product Vendors Shipping Multiple Addresses woocommerce WooCommerce Square WooCommerce Bookings Product Add-Ons WooCommerce Box Office WooCommerce Pre-Orders WooCommerce Follow-Up Emails (AutomateWoo) WooCommerce Brands woocommerce-gutenberg-products-block WooPayments: Integrated WooCommerce Payments Google for WooCommerce WooCommerce Smart Coupons WooCommerce One Page Checkout WooCommerce Shipping Per Product Canada Post Shipping Method GoCardless Woo Subscriptions WooCommerce Product Vendors Product Recommendations Bulk Stock Management WooCommerce PayPal Payments Composite Products WooCommerce Order Barcodes Returns and Warranty Requests
CVE IDTitleCVSSSeverityPublished
CVE-2026-1710 WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax — WooPayments: Integrated WooCommerce PaymentsCWE-285 6.5 Medium2026-03-31
CVE-2025-13457 WooCommerce Square <= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id — WooCommerce SquareCWE-639 7.5 High2026-01-10
CVE-2024-10486 Google for WooCommerce <= 2.8.6 - Information Disclosure via Publicly Accessible PHP Info File — Google for WooCommerceCWE-862 5.3 Medium2024-11-18
CVE-2020-36841 WooCommerce Smart Coupons <= 4.6.0 - Unauthenticated Coupon Creation — WooCommerce Smart CouponsCWE-285 5.3 Medium2024-10-16
CVE-2017-20193 Product Vendors <= 2.0.35 - Reflected Cross Site Scripting — Product VendorsCWE-79 4.7 Medium2024-10-16
CVE-2023-35049 WordPress WooCommerce Stripe Payment Gateway plugin <= 7.4.0 - Unauthenticated Broken Access Control vulnerability — WooCommerce Stripe Payment GatewayCWE-862 7.5 High2024-06-19
CVE-2024-37297 WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms — woocommerceCWE-79 5.4 Medium2024-06-12
CVE-2023-35881 WordPress WooCommerce One Page Checkout plugin <= 2.3.0 - Local File Inclusion vulnerability — WooCommerce One Page CheckoutCWE-22 7.6 High2024-05-17
CVE-2023-51499 WordPress WooCommerce Shipping Per Product plugin <= 2.5.4 - Broken Access Control vulnerability — WooCommerce Shipping Per ProductCWE-862 4.3 Medium2024-04-12
CVE-2023-44999 WordPress WooCommerce Stripe Gateway plugin <= 7.6.0 - Cross Site Request Forgery (CSRF) vulnerability — WooCommerce Stripe Payment GatewayCWE-352 5.4 Medium2024-03-27
CVE-2024-24799 WordPress WooCommerce Box Office plugin <= 1.2.2 - Broken Access Control vulnerability — WooCommerce Box OfficeCWE-862 6.5 Medium2024-03-26
CVE-2023-51502 WordPress WooCommerce Stripe Payment Gateway Plugin <= 7.6.1 is vulnerable to Insecure Direct Object References (IDOR) — WooCommerce Stripe Payment GatewayCWE-639 7.5 High2024-01-05
CVE-2023-32795 WordPress WooCommerce Product Add-ons Plugin <= 6.1.3 is vulnerable to PHP Object Injection — Product Add-OnsCWE-502 8.2 High2023-12-28
CVE-2023-32799 WordPress WooCommerce Ship to Multiple Addresses Plugin <= 3.8.3 is vulnerable to Insecure Direct Object References (IDOR) — Shipping Multiple AddressesCWE-639 6.5 Medium2023-12-21
CVE-2023-32747 WordPress WooCommerce Bookings Plugin <= 1.15.78 is vulnerable to Insecure Direct Object References (IDOR) — WooCommerce BookingsCWE-639 5.4 Medium2023-12-21
CVE-2023-33318 WordPress WooCommerce Follow-Up Emails Plugin <= 4.9.40 is vulnerable to Arbitrary File Upload — AutomateWooCWE-434 9.9 Critical2023-12-20
CVE-2023-32743 WordPress AutomateWoo Plugin <= 5.7.1 is vulnerable to SQL Injection — AutomateWooCWE-89 7.6 High2023-12-20
CVE-2023-33330 WordPress WooCommerce Follow-Up Emails Plugin <= 4.9.50 is vulnerable to SQL Injection — AutomateWooCWE-89 8.5 High2023-12-20
CVE-2023-35914 WordPress WooCommerce Subscriptions Plugin <= 5.1.2 is vulnerable to Insecure Direct Object References (IDOR) — Woo SubscriptionsCWE-639 7.5 High2023-12-20
CVE-2023-35876 WordPress WooCommerce Square Plugin <= 3.8.1 is vulnerable to Insecure Direct Object References (IDOR) — WooCommerce SquareCWE-639 8.1 High2023-12-20
CVE-2023-37871 WordPress WooCommerce GoCardless Gateway Plugin <= 2.5.6 is vulnerable to Insecure Direct Object References (IDOR) — GoCardlessCWE-639 8.2 High2023-12-20
CVE-2023-33331 WordPress WooCommerce Product Vendors Plugin <= 2.1.76 is vulnerable to SQL Injection — Product VendorsCWE-89 8.5 High2023-12-18
CVE-2023-47789 WordPress WooCommerce Canada Post Shipping Plugin <= 2.8.3 is vulnerable to Cross Site Request Forgery (CSRF) — Canada Post Shipping MethodCWE-352 4.3 Medium2023-12-18
CVE-2023-47787 WordPress WooCommerce Bookings Plugin <= 2.0.3 is vulnerable to Cross Site Request Forgery (CSRF) — WooCommerce BookingsCWE-352 4.3 Medium2023-12-18
CVE-2023-32744 WordPress WooCommerce Product Recommendations Plugin < 2.3.0 is vulnerable to Cross Site Request Forgery (CSRF) — Product RecommendationsCWE-352 5.4 Medium2023-11-09
CVE-2023-32745 WordPress AutomateWoo Plugin <= 5.7.1 is vulnerable to Cross Site Request Forgery (CSRF) — AutomateWooCWE-352 5.4 Medium2023-11-09
CVE-2023-32794 WordPress WooCommerce Product Add-ons Plugin <= 6.1.3 is vulnerable to Cross Site Request Forgery (CSRF) — Product Add-OnsCWE-352 5.4 Medium2023-11-09
CVE-2023-35879 WordPress WooCommerce Product Vendors Plugin <= 2.1.78 is vulnerable to SQL Injection — Product VendorsCWE-89 7.6 High2023-10-31
CVE-2023-34004 WordPress WooCommerce Box Office Plugin <= 1.1.50 is vulnerable to Cross Site Scripting (XSS) — WooCommerce Box OfficeCWE-79 6.5 Medium2023-08-30
CVE-2023-33317 WordPress WooCommerce Warranty Requests Plugin <= 2.1.6 is vulnerable to Cross Site Scripting (XSS) — Returns and Warranty RequestsCWE-79 7.1 High2023-08-30

This page lists every published CVE security advisory associated with WooCommerce. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.