Filtered by vendor Woocommerce
Subscribe
Search
Total
19 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-32799 | 1 Woocommerce | 1 Shipping Multiple Addresses | 2023-12-30 | N/A | 6.5 MEDIUM |
| Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3. | |||||
| CVE-2023-32743 | 1 Woocommerce | 1 Automatewoo | 2023-12-28 | N/A | 4.9 MEDIUM |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1. | |||||
| CVE-2023-32575 | 1 Woocommerce | 1 Woocommerce | 2023-08-28 | N/A | 4.8 MEDIUM |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Product page shipping calculator for WooCommerce plugin <= 1.3.25 versions. | |||||
| CVE-2023-37873 | 1 Woocommerce | 1 Shipping Multiple Addresses | 2023-08-09 | N/A | 6.1 MEDIUM |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Shipping Multiple Addresses plugin <= 3.8.5 versions. | |||||
| CVE-2023-3507 | 1 Woocommerce | 1 Woocommerce Pre-orders | 2023-08-03 | N/A | 6.5 MEDIUM |
| The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when canceling pre-orders, which could allow attackers to make logged in admins cancel arbitrary pre-orders via a CSRF attack | |||||
| CVE-2023-3508 | 1 Woocommerce | 1 Woocommerce Pre-orders | 2023-08-03 | N/A | 6.5 MEDIUM |
| The WooCommerce Pre-Orders WordPress plugin before 2.0.3 has a flawed CSRF check when processing its tab actions, which could allow attackers to make logged in admins email pre-orders customer, change the released date, mark all pre-orders of a specific product as complete or cancel via CSRF attacks | |||||
| CVE-2022-2099 | 1 Woocommerce | 1 Woocommerce | 2022-07-18 | 3.5 LOW | 4.8 MEDIUM |
| The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles | |||||
| CVE-2021-24938 | 1 Woocommerce | 1 Woocommerce Currency Switcher | 2021-12-06 | 4.3 MEDIUM | 6.1 MEDIUM |
| The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue | |||||
| CVE-2021-32790 | 1 Woocommerce | 1 Woocommerce | 2021-08-04 | 4.0 MEDIUM | 4.9 MEDIUM |
| Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading. | |||||
| CVE-2020-29156 | 1 Woocommerce | 1 Woocommerce | 2021-07-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | |||||
| CVE-2021-24323 | 1 Woocommerce | 1 Woocommerce | 2021-05-24 | 3.5 LOW | 4.8 MEDIUM |
| When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled | |||||
| CVE-2019-7441 | 1 Woocommerce | 1 Paypal Checkout Payment Gateway | 2020-08-24 | 4.0 MEDIUM | 6.5 MEDIUM |
| ** DISPUTED ** cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state. | |||||
| CVE-2019-18834 | 1 Woocommerce | 1 Subscriptions | 2020-07-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php. | |||||
| CVE-2019-14979 | 1 Woocommerce | 1 Paypal Checkout Payment Gateway | 2020-02-10 | 5.0 MEDIUM | 5.3 MEDIUM |
| ** DISPUTED ** cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state. | |||||
| CVE-2019-14978 | 1 Woocommerce | 1 Payu India Payment Gateway | 2019-12-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| /payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price. | |||||
| CVE-2016-10987 | 1 Woocommerce | 1 Persian Woocommerce Sms | 2019-09-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS. | |||||
| CVE-2019-9168 | 1 Woocommerce | 1 Woocommerce | 2019-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. | |||||
| CVE-2015-2329 | 1 Woocommerce | 1 Woocommerce | 2018-02-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order. | |||||
| CVE-2016-10112 | 1 Woocommerce | 1 Woocommerce | 2017-01-12 | 3.5 LOW | 4.8 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. | |||||