Woocommerce: >> Woocommerce >> 1.1.2 Security Vulnerabilities
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.
CVSS Score
8.8
EPSS Score
0.013
Published
2019-01-15
The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin.
CVSS Score
8.1
EPSS Score
0.009
Published
2019-01-15
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order.
CVSS Score
6.1
EPSS Score
0.003
Published
2018-02-08
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.
CVSS Score
4.8
EPSS Score
0.001
Published
2017-01-04
Page 2