Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-08
CVE-2026-3231 - For Woocommerce Plugin
The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `` element with the `onchange` event handler attribute. This makes it…
PLUGIN
For Woocommerce
CVE-2026-3231
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-13930 - For Woocommerce Plugin
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with flawed guest order ownership validation. This makes it possible for unauthenticated attackers to delete attachments associated with guest orders using only the publicly available wooccm_upload nonce and attachment ID.
PLUGIN
For Woocommerce
CVE-2025-13930
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2025-12500 - For Woocommerce Plugin
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the plugin not properly verifying that a user is authorized to perform file upload actions via the "ajax_checkout_attachment_upload" function. This makes it possible for unauthenticated attackers to upload files to the server, though file types are limited to WordPress's default allowed MIME types (images, documents, etc.).
PLUGIN
For Woocommerce
CVE-2025-12500
Risk Score
Threat Entry
Updated 2026-02-04
CVE-2025-15482 - For Woocommerce Plugin
The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via 'chapa_proceed' WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant's Chapa secret API key.
PLUGIN
For Woocommerce
CVE-2025-15482
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0939 - For Woocommerce Plugin
The Rede Itaú for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible for unauthenticated attackers to manipulate WooCommerce order statuses, either marking unpaid orders as paid, or failed.
PLUGIN
For Woocommerce
CVE-2026-0939
Risk Score
Threat Entry
Updated 2026-01-14
CVE-2025-15475 - For Woocommerce Plugin
The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold.
PLUGIN
For Woocommerce
CVE-2025-15475
Risk Score
Threat Entry
Updated 2025-12-09
CVE-2025-13924 - For Woocommerce Plugin
The Advanced Product Fields (Product Addons) for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.17. This is due to missing or incorrect nonce validation on the 'maybe_duplicate' function. This makes it possible for unauthenticated attackers to duplicate and publish product field groups, including draft and pending field groups, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
For Woocommerce
CVE-2025-13924
Risk Score
Threat Entry
Updated 2025-11-21
CVE-2025-13156 - For Woocommerce Plugin
The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible.
PLUGIN
For Woocommerce
CVE-2025-13156
Risk Score
Threat Entry
Updated 2025-04-21
CVE-2025-3598 - For Woocommerce Plugin
The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the commission_summary parameter in all versions up to, and including, .6.3.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
For Woocommerce
CVE-2025-3598
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-13750 - For Woocommerce Plugin
The Multilevel Referral Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.27 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
For Woocommerce
CVE-2024-13750
Risk Score
Threat Entry
Updated 2024-12-13
CVE-2024-12421 - For Woocommerce Plugin
The The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.16.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. The Cross-Site Scripting was patched in version 5.16.7.1, while the arbitrary shortcode execution was patched in 5.16.7.2.
PLUGIN
For Woocommerce
CVE-2024-12421
Risk Score
Threat Entry
Updated 2024-11-26
CVE-2024-10729 - For Woocommerce Plugin
The Booking & Appointment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_google_calendar_data' function in versions up to, and including, 6.9.0. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily.
PLUGIN
For Woocommerce
CVE-2024-10729
Risk Score
Threat Entry
Updated 2026-02-17
CVE-2024-8499 - For Woocommerce Plugin
The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘render_review_request_notice’ function in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
For Woocommerce
CVE-2024-8499
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0705 - For Woocommerce Plugin
The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
For Woocommerce
CVE-2024-0705
Risk Score
Threat Entry
Updated 2025-06-18
CVE-2023-5957 - For Woocommerce Plugin
The Ni Purchase Order(PO) For WooCommerce WordPress plugin through 1.2.1 does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell.
PLUGIN
For Woocommerce
CVE-2023-5957
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3162 - For Woocommerce Plugin
The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers.
PLUGIN
For Woocommerce
CVE-2023-3162
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-4040 - For Woocommerce Plugin
The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eh_callback_handler function in versions up to, and including, 3.7.9. This makes it possible for unauthenticated attackers to modify the order status of arbitrary WooCommerce orders.
PLUGIN
For Woocommerce
CVE-2023-4040
Risk Score
Threat Entry
Updated 2025-03-06
CVE-2023-0068 - For Woocommerce Plugin
The Product GTIN (EAN, UPC, ISBN) for WooCommerce WordPress plugin through 1.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
PLUGIN
For Woocommerce
CVE-2023-0068
Risk Score