Search Results (270 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-0939 3 Linknacional, Woocommerce, Wordpress 3 Rede Itau For Woocommerce, Woocommerce, Wordpress 2026-04-15 5.3 Medium
The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed.
CVE-2026-0679 3 Fortispay, Woocommerce, Wordpress 3 Fortis For Woocommerce, Woocommerce, Wordpress 2026-04-15 5.3 Medium
The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order statuses to paid/processing/completed, effectively allowing them to mark orders as paid without payment.
CVE-2026-1000 3 Mailerlite, Woocommerce, Wordpress 3 Mailerlite, Woocommerce, Wordpress 2026-04-15 6.5 Medium
The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history.
CVE-2025-69025 3 Aethonic, Woocommerce, Wordpress 3 Poptics, Woocommerce, Wordpress 2026-04-15 4.3 Medium
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Aethonic Poptics poptics allows Retrieve Embedded Sensitive Data.This issue affects Poptics: from n/a through <= 1.0.20.
CVE-2024-0626 2 Woocommerce, Zaytech 2 Woocommerce, Woocommerce Clover Payment Gateway 2026-04-15 5.3 Medium
The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callback_handler function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to mark orders as paid.
CVE-2025-10162 2 Woocommerce, Wordpress 2 Woocommerce, Wordpress 2026-04-15 7.5 High
The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack
CVE-2025-53297 3 Aa-team, Woocommerce, Wordpress 3 Woocommerce Envato Affiliates, Woocommerce, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Envato Affiliates wooenvato allows Reflected XSS.This issue affects Woocommerce Envato Affiliates: from n/a through <= 1.2.1.
CVE-2025-69004 3 Woocommerce, Wordpress, Xpeedstudio 3 Woocommerce, Wordpress, Bajaar - Highly Customizable Woocommerce Wordpress Theme 2026-04-15 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in XpeedStudio Bajaar - Highly Customizable WooCommerce WordPress Theme bajaar allows PHP Local File Inclusion.This issue affects Bajaar - Highly Customizable WooCommerce WordPress Theme: from n/a through <= 2.1.0.
CVE-2025-49947 3 Extendons, Woocommerce, Wordpress 3 Woocommerce Registration Fields Plugin, Woocommerce, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extendons WooCommerce Registration Fields Plugin - Custom Signup Fields extendons-registration-fields allows Reflected XSS.This issue affects WooCommerce Registration Fields Plugin - Custom Signup Fields: from n/a through <= 3.2.3.
CVE-2025-60243 3 Holest Engineering, Woocommerce, Wordpress 3 Selling Commander For Woocommerce, Woocommerce, Wordpress 2026-04-15 9.8 Critical
Incorrect Privilege Assignment vulnerability in Holest Engineering Selling Commander for WooCommerce selling-commander-connector allows Privilege Escalation.This issue affects Selling Commander for WooCommerce: from n/a through <= 1.2.46.
CVE-2025-60207 3 Addify, Woocommerce, Wordpress 3 Custom User Registration Fields For Woocommerce, Woocommerce, Wordpress 2026-04-15 10 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in Addify Custom User Registration Fields for WooCommerce user-registration-plugin-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects Custom User Registration Fields for WooCommerce: from n/a through <= 2.1.2.
CVE-2024-43219 1 Woocommerce 1 Persian-woocommerce 2026-04-15 5.3 Medium
Missing Authorization vulnerability in ووکامرس فارسی Persian WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Persian WooCommerce: from n/a through 7.1.6.
CVE-2020-36841 1 Woocommerce 1 Woocommerce Smart Coupons 2026-04-15 5.3 Medium
The WooCommerce Smart Coupons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the woocommerce_coupon_admin_init function in versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to send themselves gift certificates of any value, which could be redeemed for products sold on the victim’s storefront.
CVE-2025-62870 3 Eupago, Woocommerce, Wordpress 3 Eupago Gateway Woocommerce, Woocommerce, Wordpress 2026-04-15 5.3 Medium
Missing Authorization vulnerability in Eupago Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eupago Gateway For Woocommerce: from n/a through <= 4.7.1.
CVE-2025-62008 3 Acowebs, Woocommerce, Wordpress 3 Product Labels For Woocommerce, Woocommerce, Wordpress 2026-04-15 8.8 High
Deserialization of Untrusted Data vulnerability in acowebs Product Table For WooCommerce product-table-for-woocommerce.This issue affects Product Table For WooCommerce: from n/a through <= 1.2.4.
CVE-2025-53422 3 Themewarriors, Woocommerce, Wordpress 3 Whatsapp Chat, Woocommerce, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeWarriors WhatsApp Chat for WordPress and WooCommerce tw-whatsapp-chat-rotator allows Reflected XSS.This issue affects WhatsApp Chat for WordPress and WooCommerce: from n/a through <= 1.2.1.
CVE-2025-64289 3 Premmerce, Woocommerce, Wordpress 4 Premmerce, Product Search For Woocommerce, Woocommerce and 1 more 2026-04-15 5.9 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows Stored XSS.This issue affects Premmerce Product Search for WooCommerce: from n/a through <= 2.2.5.
CVE-2025-10412 2 Woocommerce, Wordpress 2 Woocommerce, Wordpress 2026-04-15 9.8 Critical
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2025-68011 3 Gls, Woocommerce, Wordpress 3 Shipping For Woocommerce, Woocommerce, Wordpress 2026-04-15 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce allows Reflected XSS.This issue affects GLS Shipping for WooCommerce: from n/a through <= 1.4.0.
CVE-2025-68018 3 Ilmosys, Woocommerce, Wordpress 3 Order Listener For Woocommerce, Woocommerce, Wordpress 2026-04-15 9.4 Critical
Missing Authorization vulnerability in StackWC Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1.