Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-04-11
CVE-2025-2719 - WooCommerce Plugin
The Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in versions 1.2.8 to 1.4.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 1/true on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny access to legitimate users or be used to set…
PLUGIN
WooCommerce
CVE-2025-2719
Risk Score
Threat Entry
Updated 2025-04-08
CVE-2025-2568 - Woocommerce Plugin
The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the 'vayu_blocks_get_toggle_switch_values_callback' and 'vayu_blocks_save_toggle_switch_callback' function in versions 1.0.4 to 1.2.1. This makes it possible for unauthenticated attackers to read plugin options and update any option with a key name ending in '_value'.
PLUGIN
Woocommerce
CVE-2025-2568
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-31843 - WooCommerce Plugin
Missing Authorization vulnerability in Wilson OpenAI Tools for WordPress & WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects OpenAI Tools for WordPress & WooCommerce: from n/a through 2.1.5.
PLUGIN
WooCommerce
CVE-2025-31843
Risk Score
Threat Entry
Updated 2025-05-27
CVE-2024-13553 - Woocommerce Plugin
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.
PLUGIN
Woocommerce
CVE-2024-13553
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-22644 - WooCommerce Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce allows Stored XSS.This issue affects Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce: from n/a through 1.2.1.
PLUGIN
WooCommerce
CVE-2025-22644
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-30609 - WooCommerce Plugin
Insertion of Sensitive Information Into Sent Data vulnerability in AppExperts AppExperts – WordPress to Mobile App – WooCommerce to iOs and Android Apps allows Retrieve Embedded Sensitive Data. This issue affects AppExperts – WordPress to Mobile App – WooCommerce to iOs and Android Apps: from n/a through 1.4.3.
PLUGIN
WooCommerce
CVE-2025-30609
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2025-1527 - WooCommerce Plugin
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
WooCommerce
CVE-2025-1527
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-1363 - Woocommerce Plugin
The URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin through 9.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Woocommerce
CVE-2025-1363
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2025-1362 - Woocommerce Plugin
The URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin through 9.0.2 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting customers via CSRF attacks
PLUGIN
Woocommerce
CVE-2025-1362
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2025-1287 - Woocommerce Plugin
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown, Syntax Highlighter, and Page Scroll widgets in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woocommerce
CVE-2025-1287
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-10804 - Woocommerce Plugin
The Ultimate Video Player WordPress & WooCommerce Plugin plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 10.0 via the content/downloader.php file. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Woocommerce
CVE-2024-10804
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-13868 - Woocommerce Plugin
The URL Shortener | Conversion Tracking | AB Testing | WooCommerce WordPress plugin through 9.0.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
PLUGIN
Woocommerce
CVE-2024-13868
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13520 - WooCommerce Plugin
The Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) plugin for WordPress is vulnerable to unauthorized modification of data|loss of data due to a missing capability check on the 'update_voucher_price', 'update_voucher_date', 'update_voucher_note' functions in all versions up to, and including, 4.4.6. This makes it possible for unauthenticated attackers to update the value, expiration date, and user note for any gift voucher.
PLUGIN
WooCommerce
CVE-2024-13520
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2025-1064 - WooCommerce Plugin
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's xoo_el_action shortcode in all versions up to, and including, 2.8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
WooCommerce
CVE-2025-1064
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13513 - WooCommerce Plugin
The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.4.2.3 disabled logging but left sites with existing log files vulnerable.
PLUGIN
WooCommerce
CVE-2024-13513
Risk Score
Threat Entry
Updated 2025-02-25
CVE-2024-13735 - Woocommerce Plugin
The HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.11.2 due to insufficient input sanitization and output escaping of a campaign name. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woocommerce
CVE-2024-13735
Risk Score
Threat Entry
Updated 2025-02-24
CVE-2024-13346 - Woocommerce Theme
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
THEME
Woocommerce
CVE-2024-13346
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2024-13487 - WooCommerce Plugin
The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PLUGIN
WooCommerce
CVE-2024-13487
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-11829 - Woocommerce Plugin
The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Widget's searchable_label parameter in all versions up to, and including, 6.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Woocommerce
CVE-2024-11829
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2024-11725 - Woocommerce Plugin
The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the updateWcWarrantySettings() function in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Please…
PLUGIN
Woocommerce
CVE-2024-11725
Risk Score