Automattic Woocommerce
15 CVEs affecting Automattic Woocommerce. Latest disclosed: 2026-03-06. Critical: 0, High: 2.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-3589 | High | 7.5 | 2026-03-06 | The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logge… |
CVE-2017-17058 | High | 7.5 | 2017-11-29 | The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, whi… |
CVE-2025-15033 | Medium | 6.5 | 2025-12-22 | A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This… |
CVE-2023-47777 | Medium | 6.5 | 2023-11-30 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks all… |
CVE-2025-5062 | Medium | 6.1 | 2025-05-22 | The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and includin… |
CVE-2025-49042 | Medium | 5.9 | 2025-10-29 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This… |
CVE-2025-26762 | Medium | 5.9 | 2025-03-27 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This… |
CVE-2024-39666 | Medium | 5.9 | 2024-08-18 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooComme… |
CVE-2023-7320 | Medium | 5.3 | 2025-10-29 | The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on… |
CVE-2024-9944 | Medium | 5.3 | 2024-10-15 | The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutra… |
CVE-2024-1310 | Medium | 4.9 | 2024-04-15 | The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g… |
CVE-2021-24323 | Medium | 4.8 | 2021-05-17 | When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high… |
CVE-2024-22155 | Medium | 4.3 | 2024-04-07 | Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2. |
CVE-2023-52222 | Medium | 4.3 | 2024-01-08 | Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2. |
CVE-2024-35777 | Low | 3.5 | 2024-07-09 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoof… |