Automattic Woocommerce

15 CVEs affecting Automattic Woocommerce. Latest disclosed: 2026-03-06. Critical: 0, High: 2.

Top CVEs affecting Automattic Woocommerce
CVESeverityScorePublishedSummary
CVE-2026-3589High7.52026-03-06The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logge…
CVE-2017-17058High7.52017-11-29The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, whi…
CVE-2025-15033Medium6.52025-12-22A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This…
CVE-2023-47777Medium6.52023-11-30Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks all…
CVE-2025-5062Medium6.12025-05-22The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and includin…
CVE-2025-49042Medium5.92025-10-29Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This…
CVE-2025-26762Medium5.92025-03-27Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This…
CVE-2024-39666Medium5.92024-08-18Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooComme…
CVE-2023-7320Medium5.32025-10-29The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on…
CVE-2024-9944Medium5.32024-10-15The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutra…
CVE-2024-1310Medium4.92024-04-15The WooCommerce WordPress plugin before 8.6 does not prevent users with at least the contributor role from leaking products they shouldn't have access to. (e.g…
CVE-2021-24323Medium4.82021-05-17When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high…
CVE-2024-22155Medium4.32024-04-07Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2.
CVE-2023-52222Medium4.32024-01-08Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.
CVE-2024-35777Low3.52024-07-09Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoof…