automattic — Vulnerabilities & Security Advisories 58

Browse all 58 CVE security advisories affecting automattic. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Automattic operates as a software development company best known for creating WordPress, the widely used content management system powering a significant portion of the web. Its core business involves maintaining and distributing this open-source platform, alongside related services like hosting and e-commerce solutions. Historically, the organization has faced numerous security challenges, with 58 Common Vulnerabilities and Exposures (CVEs) recorded to date. These incidents predominantly involve remote code execution, cross-site scripting, and privilege escalation flaws, often stemming from the complex plugin and theme ecosystem rather than the core software itself. While major data breaches have not been widely publicized, the sheer volume of vulnerabilities highlights the risks associated with its extensive third-party integrations. The company continues to address these issues through regular updates and security advisories, aiming to mitigate the attack surface inherent in its decentralized development model.

CVEs 58

CVE ID	Title	CVSS	Severity	Published
CVE-2026-3589	WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF — WooCommerce	8.8	-	2026-03-06
CVE-2026-22356	WordPress Jetpack CRM plugin <= 6.7.0 - Local File Inclusion vulnerability — Jetpack CRMCWE-98	7.5	High	2026-02-20
CVE-2026-25404	WordPress WP Job Manager plugin <= 2.4.0 - Broken Access Control vulnerability — WP Job ManagerCWE-862	5.3	Medium	2026-02-19
CVE-2023-54332	Jetpack 11.4 - Cross Site Scripting (XSS) — JetpackCWE-79	6.1	Medium	2026-01-13
CVE-2023-52212	WordPress WP Job Manager plugin <= 2.0.0 - Cross Site Request Forgery (CSRF) vulnerability — WP Job ManagerCWE-352	5.4	Medium	2026-01-05
CVE-2025-69015	WordPress Crowdsignal Forms plugin <= 1.7.2 - Broken Access Control vulnerability — Crowdsignal FormsCWE-862	3.8	Low	2025-12-30
CVE-2025-15033	WooCommerce - Subscriber/Customer+ Order Data Disclosure — WooCommerce	4.3^AI	Medium^AI	2025-12-22
CVE-2023-7320	WooCommerce <= 7.8.2 - Sensitive Information Exposure — WooCommerceCWE-200	5.3	Medium	2025-10-29
CVE-2025-49042	WordPress WooCommerce plugin <= 10.0.2 - Cross Site Scripting (XSS) vulnerability — WooCommerceCWE-79	5.9	Medium	2025-10-29
CVE-2025-57924	WordPress Developer Plugin <= 1.2.6 - Cross Site Request Forgery (CSRF) Vulnerability — DeveloperCWE-352	4.3	Medium	2025-09-22
CVE-2025-49325	WordPress Newspack Newsletters plugin <= 3.13.0 - Open Redirection Vulnerability — Newspack NewslettersCWE-601	4.7	Medium	2025-06-06
CVE-2025-5062	WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting — WooCommerceCWE-79	6.1	Medium	2025-05-22
CVE-2024-56006	WordPress Jetpack Debug Tools plugin < 2.0.1 - Broken Access Control vulnerability — Jetpack Debug ToolsCWE-862	5.3	Medium	2025-05-15
CVE-2025-22740	WordPress Sensei LMS plugin <= 4.24.4 - Broken Access Control vulnerability — Sensei LMSCWE-862	5.3	Medium	2025-03-27
CVE-2025-26762	WordPress WooCommerce plugin <= 9.7.0 - Cross Site Scripting (XSS) vulnerability — WooCommerceCWE-79	5.9	Medium	2025-03-27
CVE-2024-37241	WordPress WP Job Manager Resume Manager plugin <= 2.1.0 - Cross Site Request Forgery (CSRF) vulnerability — WP Job Manager - Resume ManagerCWE-352	4.3	Medium	2025-01-02
CVE-2024-37242	WordPress Newspack Newsletters plugin <= 2.13.2 - Cross Site Request Forgery (CSRF) vulnerability — Newspack NewslettersCWE-352	4.3	Medium	2025-01-02
CVE-2024-43338	WordPress Crowdsignal Polls & Ratings plugin <= 3.1.3 - Cross Site Request Forgery (CSRF) vulnerability — Crowdsignal Dashboard – Polls, Surveys & moreCWE-352	4.3	Medium	2024-11-19
CVE-2024-37423	WordPress Newspack Blocks plugin <= 3.0.8 - Contributor+ Arbitrary Directory Deletion vulnerability — Newspack BlocksCWE-22	8.5	High	2024-11-01
CVE-2024-37425	WordPress Newspack Blocks plugin <= 3.0.8 - Broken Access Control vulnerability — Newspack BlocksCWE-862	5.4	Medium	2024-11-01
CVE-2024-37443	WordPress WP Job Manager plugin <= 2.1.0 - Broken Access Control vulnerability — WP Job Manager - Resume ManagerCWE-862	4.3	Medium	2024-11-01
CVE-2024-37477	WordPress Newspack Content Converter plugin <= 0.1.5 - Broken Access Control vulnerability — Newspack Content ConverterCWE-862	6.5	Medium	2024-11-01
CVE-2024-37475	WordPress Newspack Newsletters plugin <= 2.13.2 - Broken Access Control vulnerability — Newspack NewslettersCWE-862	5.3	Medium	2024-11-01
CVE-2024-43968	WordPress Newspack plugin < 3.8.7 - Broken Access Control vulnerability — NewspackCWE-862	4.3	Medium	2024-11-01
CVE-2024-9944	WooCommerce <= 9.0.2 - Unauthenticated HTML Injection — WooCommerceCWE-79	5.3	Medium	2024-10-15
CVE-2024-43949	WordPress GHActivity plugin <= 2.0.0-alpha - Cross Site Scripting (XSS) vulnerability — GHActivityCWE-79	6.5	Medium	2024-08-29
CVE-2024-35686	WordPress Sensei LMS plugin <= 4.23.1 - Broken Access Control vulnerability — Sensei LMSCWE-862	5.3	Medium	2024-08-18
CVE-2024-39666	WordPress WooCommerce plugin <= 9.1.2 - Cross Site Scripting (XSS) vulnerability — WooCommerceCWE-79	5.9	Medium	2024-08-18
CVE-2024-37115	WordPress Newspack Blocks plugin <= 3.0.8 - Sensitive Data Exposure vulnerability — Newspack BlocksCWE-200	7.5	High	2024-07-10
CVE-2024-37424	WordPress Newspack Blocks plugin <= 3.0.8 - Arbitrary File Upload vulnerability — Newspack BlocksCWE-434	9.9	Critical	2024-07-09

This page lists every published CVE security advisory associated with automattic. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

automattic — Vulnerabilities & Security Advisories 58