🔎 Have you found a vulnerability in a WordPress plugin or theme? Report vulnerabilities in WordPress plugins and themes through our bug bounty program and earn a bounty on all in-scope submissions, while we handle the responsible disclosure process on your behalf.

WooCommerce

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > WooCommerce

Information

Software Type	Plugin
Software Slug	woocommerce (view on wordpress.org)
Software Status	Active
Software Author	woothemes
Software Website	woocommerce.com
Software Downloads	327,158,979
Software Active Installs	7,000,000
Software Record Last Updated	July 26, 2024

Showing 1-20 of 37 Vulnerabilities

WooCommerce < 5.5 - Authenticated Blind SQL Injection

8.8

CVE-2021-32790

Jul 13, 2021

Researcher: Josh (jl-dos)

WooCommerce <= 4.0.4 - Unauthorized Post Meta Creation/Modification

8.8

CVE ID Unknown

May 5, 2020

Researcher: Slavco Mihajloski

WooCommerce <= 3.6.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting

8.8

CVE ID Unknown

Jul 2, 2019

Researcher: DENNIS BRINKROLF

WooCommerce <= 3.2.3 - Authenticated PHP Object Injection

8.8

CVE-2017-18356

Nov 16, 2017

Researchers:

WooCommerce <= 2.3.10 - PHP Object Injection

7.5

CVE ID Unknown

Jun 10, 2015

Researchers:

WooCommerce <= 2.2.2 - Cross-Site Scripting via range Parameter

7.3

CVE-2014-6313

Sep 15, 2014

Researcher: dwxsupport

WooCommerce <= 6.2.0 - Path Traversal via Tax Importer

7.2

CVE ID Unknown

Feb 22, 2022

Researchers:

WooCommerce <= 3.6.4 - Missing File Type Validation

7.2

CVE ID Unknown

Jul 2, 2019

Researchers:

WooCommerce <= 3.4.5 - WooCommerce File Deletion

7.2

CVE-2018-20714

Nov 6, 2018

Researchers: Simon Scannell, Karim El Ouerghemmi, Slavco Mihajloski

WooCommerce <= 2.3.5 - Stored Cross-Site Scripting

7.2

CVE-2015-2329

Mar 13, 2015

Researchers:

WooCommerce <= 3.4.4 - Authenticated PHP Object Injection

6.6

CVE ID Unknown

Aug 29, 2018

Researchers:

WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Information Disclosure

6.5

CVE ID Unknown

Apr 10, 2022

Researchers:

WooCommerce <= 4.6.1 & WooCommerce Blocks <= 3.7.0 - Settings Bypass leading to Account Creation

6.5

CVE ID Unknown

Nov 5, 2020

Researchers:

WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute

6.4

CVE-2023-47777

Nov 15, 2023

Researcher: Rafie Muhammad

WooCommerce <= 2.6.3 - Stored Cross-Site Scripting via REST-API

6.4

CVE ID Unknown

Jul 26, 2016

Researcher: Sipke Mellema

WooCommerce <= 2.6.2 - Stored Cross-Site Scripting

6.4

CVE ID Unknown

Jul 19, 2016

Researcher: Han Sahin

WooCommerce 8.8.0 - 8.9.2 - Reflected Cross-Site Scripting via Order Attribution

6.1

CVE-2024-37297

Jun 10, 2024

Researchers:

WooCommerce < 8.4.0 - Reflected Cross-Site Scripting

6.1

CVE ID Unknown

Jan 12, 2024

Researchers:

WooCommerce <= 4.2.0 - Reflected Cross-Site Scripting

6.1

CVE ID Unknown

Jun 22, 2020

Researchers:

WooCommerce <= 3.5.4 - Stored Cross-Site Scripting

6.1

CVE-2019-9168

Feb 20, 2019

Researcher: Zhouyuan Yang

Title	Status	CVE ID	CVSS	Researchers	Date
WooCommerce < 5.5 - Authenticated Blind SQL Injection	Patched	CVE-2021-32790	8.8	Josh (jl-dos)	July 13, 2021
WooCommerce <= 4.0.4 - Unauthorized Post Meta Creation/Modification	Patched		8.8	Slavco Mihajloski	May 5, 2020
WooCommerce <= 3.6.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting	Patched		8.8	DENNIS BRINKROLF	July 2, 2019
WooCommerce <= 3.2.3 - Authenticated PHP Object Injection	Patched	CVE-2017-18356	8.8		November 16, 2017
WooCommerce <= 2.3.10 - PHP Object Injection	Patched		7.5		June 10, 2015
WooCommerce <= 2.2.2 - Cross-Site Scripting via range Parameter	Patched	CVE-2014-6313	7.3	dwxsupport	September 15, 2014
WooCommerce <= 6.2.0 - Path Traversal via Tax Importer	Patched		7.2		February 22, 2022
WooCommerce <= 3.6.4 - Missing File Type Validation	Patched		7.2		July 2, 2019
WooCommerce <= 3.4.5 - WooCommerce File Deletion	Patched	CVE-2018-20714	7.2	Simon Scannell, Karim El Ouerghemmi, Slavco Mihajloski	November 6, 2018
WooCommerce <= 2.3.5 - Stored Cross-Site Scripting	Patched	CVE-2015-2329	7.2		March 13, 2015
WooCommerce <= 3.4.4 - Authenticated PHP Object Injection	Patched		6.6		August 29, 2018
WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Information Disclosure	Patched		6.5		April 10, 2022
WooCommerce <= 4.6.1 & WooCommerce Blocks <= 3.7.0 - Settings Bypass leading to Account Creation	Patched		6.5		November 5, 2020
WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute	Patched	CVE-2023-47777	6.4	Rafie Muhammad	November 15, 2023
WooCommerce <= 2.6.3 - Stored Cross-Site Scripting via REST-API	Patched		6.4	Sipke Mellema	July 26, 2016
WooCommerce <= 2.6.2 - Stored Cross-Site Scripting	Patched		6.4	Han Sahin	July 19, 2016
WooCommerce 8.8.0 - 8.9.2 - Reflected Cross-Site Scripting via Order Attribution	Patched	CVE-2024-37297	6.1		June 10, 2024
WooCommerce < 8.4.0 - Reflected Cross-Site Scripting	Patched		6.1		January 12, 2024
WooCommerce <= 4.2.0 - Reflected Cross-Site Scripting	Patched		6.1		June 22, 2020
WooCommerce <= 3.5.4 - Stored Cross-Site Scripting	Patched	CVE-2019-9168	6.1	Zhouyuan Yang	February 20, 2019

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation