Woocommerce: >> Woocommerce >> 3.5.0 Security Vulnerabilities
The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-10-15
The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
CVSS Score
4.3
EPSS Score
0.003
Published
2024-01-16
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.
CVSS Score
4.3
EPSS Score
0.002
Published
2024-01-08
The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles
CVSS Score
4.8
EPSS Score
0.002
Published
2022-07-17
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.
CVSS Score
4.9
EPSS Score
0.033
Published
2021-07-26
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled
CVSS Score
4.8
EPSS Score
0.004
Published
2021-05-17
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
CVSS Score
5.3
EPSS Score
0.131
Published
2020-12-27
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.
CVSS Score
8.8
EPSS Score
0.001
Published
2020-06-19
WooCommerce before 3.5.5 allows XSS via a Photoswipe caption.
CVSS Score
6.1
EPSS Score
0.002
Published
2019-02-26