Woocommerce: Security Vulnerabilities
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.
CVSS Score
4.9
EPSS Score
0.018
Published
2021-07-26
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled
CVSS Score
4.8
EPSS Score
0.004
Published
2021-05-17
The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp.
CVSS Score
9.8
EPSS Score
0.033
Published
2021-04-05
Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. Once it contains the function "Custom Gift Card Template", the function of uploading a custom image is used, changing the name of the image extension to PHP and executing PHP code on the server.
CVSS Score
8.8
EPSS Score
0.007
Published
2020-12-28
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
CVSS Score
5.3
EPSS Score
0.086
Published
2020-12-27
An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. An online payment system bypass allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details entry step.
CVSS Score
7.5
EPSS Score
0.001
Published
2020-08-26
Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php.
CVSS Score
6.1
EPSS Score
0.005
Published
2020-07-23
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-06-19
The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS.
CVSS Score
6.1
EPSS Score
0.003
Published
2019-09-17
/payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price.
CVSS Score
5.3
EPSS Score
0.002
Published
2019-08-29