Woocommerce CVEs and Security Vulnerabilities

Filtered by vendor Woocommerce Subscriptions

Filtered by product Woocommerce Subscriptions

Search

Switch to Advanced Search (Beta)

Total 97 CVE

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2025-49380	3 Woocommerce, Wordpress, Wpinstinct	3 Woocommerce, Wordpress, Woocommerce Vehicle Parts Finder	2025-10-23	5.3 Medium
Deserialization of Untrusted Data vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Object Injection.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7.
CVE-2025-59006	3 Themebon, Woocommerce, Wordpress	3 Easy Woocommerce Customizer, Woocommerce, Wordpress	2025-10-23	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Easy Woocommerce Customizer easy-woocommerce-customizer allows Reflected XSS.This issue affects Easy Woocommerce Customizer: from n/a through <= 1.0.2.
CVE-2025-49911	3 Woocommerce, Wordpress, Wpinstinct	3 Woocommerce, Wordpress, Woo Commerce Vehicle Parts Finder	2025-10-23	7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpinstinct WooCommerce Vehicle Parts Finder woo-vehicle-parts-finder allows Reflected XSS.This issue affects WooCommerce Vehicle Parts Finder: from n/a through <= 3.7.
CVE-2025-10570	3 Woocommerce, Wordpress, Wpdesk	3 Woocommerce, Wordpress, Flexible Refund And Return Order For Woocommerce	2025-10-23	4.3 Medium
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own.
CVE-2025-10167	3 Woocommerce, Wordpress, Wpcodefactory	3 Woocommerce, Wordpress, Stock History & Reports Manager For Woocommerce	2025-10-21	6.4 Medium
The Stock History & Reports Manager for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_stock_snapshot_restocked shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-10862	3 Roxnor, Woocommerce, Wordpress	3 Popup Builder, Woocommerce, Wordpress	2025-10-09	7.5 High
The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.1.3. This is due to insufficient escaping on the 'id' parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2025-10162	2 Woocommerce, Wordpress	2 Woocommerce, Wordpress	2025-10-08	7.5 High
The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
CVE-2025-9286	3 Hancock11, Woocommerce, Wordpress	3 Appy Pie Connect For Woocommerce, Woocommerce, Wordpress	2025-10-06	9.8 Critical
The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to to reset the password of arbitrary users, including administrators, thereby gaining administrative access.
CVE-2025-10191	3 Fusedsoftware, Woocommerce, Wordpress	3 Big Post Shipping For Woocommerce, Woocommerce, Wordpress	2025-10-02	6.4 Medium
The Big Post Shipping for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wooboigpost_shipping_status' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-5062	1 Woocommerce	1 Woocommerce	2025-09-30	6.1 Medium
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2025-58917	3 Nick Verwymeren, Woocommerce, Wordpress	3 Quantities And Units For Woocommerce, Woocommerce, Wordpress	2025-09-29	6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nick Verwymeren Quantities and Units for WooCommerce allows Stored XSS. This issue affects Quantities and Units for WooCommerce: from n/a through 1.0.13.
CVE-2025-60173	3 Ashwani Kumar, Woocommerce, Wordpress	3 Gst For Woocommerce, Woocommerce, Wordpress	2025-09-29	7.1 High
Cross-Site Request Forgery (CSRF) vulnerability in Ashwani kumar GST for WooCommerce allows Stored XSS. This issue affects GST for WooCommerce: from n/a through 2.0.
CVE-2025-60219	3 Harutheme, Woocommerce, Wordpress	3 Woocommerce Designer Pro, Woocommerce, Wordpress	2025-09-29	10 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme WooCommerce Designer Pro allows Upload a Web Shell to a Web Server. This issue affects WooCommerce Designer Pro: from n/a through 1.9.24.
CVE-2025-60171	3 Woocommerce, Wordpress, Yourplugins	3 Woocommerce, Wordpress, Conditional Cart Messages For Woocommerce	2025-09-29	7.1 High
Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce – YourPlugins.com allows Stored XSS. This issue affects Conditional Cart Messages for WooCommerce – YourPlugins.com: from n/a through 1.2.10.
CVE-2025-60158	3 Webmaniabr, Woocommerce, Wordpress	3 Nota Fiscal Eletronica, Woocommerce, Wordpress	2025-09-29	5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmaniabr Nota Fiscal Eletrônica WooCommerce allows Stored XSS. This issue affects Nota Fiscal Eletrônica WooCommerce: from n/a through 3.4.0.6.
CVE-2025-60159	3 Webmaniabr, Woocommerce, Wordpress	3 Nota Fiscal Eletronica, Woocommerce, Wordpress	2025-09-29	4.3 Medium
Missing Authorization vulnerability in webmaniabr Nota Fiscal Eletrônica WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nota Fiscal Eletrônica WooCommerce: from n/a through 3.4.0.6.
CVE-2025-10173	4 Elementor, Roxnor, Woocommerce and 1 more	4 Elementor, Shopengine Elementor Woocommerce Builder Addon, Woocommerce and 1 more	2025-09-26	2.7 Low
The ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution plugin for WordPress is vulnerable to unauthorized access due to an incorrect capability check on the post_save() function in all versions up to, and including, 4.8.3. This makes it possible for authenticated attackers, with Editor-level access and above, to update the plugin's settings.
CVE-2025-57977	3 Woocommerce, Wordpress, Wpdesk	3 Woocommerce, Wordpress, Flexible Pdf Invoices	2025-09-25	7.1 High
Cross-Site Request Forgery (CSRF) vulnerability in wpdesk Flexible PDF Invoices for WooCommerce & WordPress allows Cross Site Request Forgery. This issue affects Flexible PDF Invoices for WooCommerce & WordPress: from n/a through 6.0.13.
CVE-2025-57972	3 Woocommerce, Wordpress, Wpfactory	3 Woocommerce, Wordpress, Helpdesk Support Ticket System	2025-09-25	4.3 Medium
Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through 2.0.2.
CVE-2025-9054	3 Techspawn, Woocommerce, Wordpress	3 Multiloca, Woocommerce, Wordpress	2025-09-25	9.8 Critical
The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

« first previous Page 2 of 5. next last »