Refine your search
13 vulnerabilities found for WooCommerce by automattic
CVE-2026-3589 (GCVE-0-2026-3589)
Vulnerability from cvelistv5
Published
2026-03-06 09:11
Modified
2026-03-06 17:44
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Version: 5.4.0 ≤ Version: 5.5.0 ≤ Version: 5.6.0 ≤ Version: 5.7.0 ≤ Version: 5.8.0 ≤ Version: 5.9.0 ≤ Version: 6.0.0 ≤ Version: 6.1.0 ≤ Version: 6.2.0 ≤ Version: 6.3.0 ≤ Version: 6.4.0 ≤ Version: 6.5.0 ≤ Version: 6.6.0 ≤ Version: 6.7.0 ≤ Version: 6.8.0 ≤ Version: 6.9.0 ≤ Version: 7.0.0 ≤ Version: 7.1.0 ≤ Version: 7.2.0 ≤ Version: 7.3.0 ≤ Version: 7.4.0 ≤ Version: 7.5.0 ≤ Version: 7.6.0 ≤ Version: 7.7.0 ≤ Version: 7.8.0 ≤ Version: 7.9.0 ≤ Version: 8.0.0 ≤ Version: 8.1.0 ≤ Version: 8.2.0 ≤ Version: 8.3.0 ≤ Version: 8.4.0 ≤ Version: 8.5.0 ≤ Version: 8.6.0 ≤ Version: 8.7.0 ≤ Version: 8.8.0 ≤ Version: 8.9.0 ≤ Version: 9.0.0 ≤ Version: 9.1.0 ≤ Version: 9.2.0 ≤ Version: 9.3.0 ≤ Version: 9.4.0 ≤ Version: 9.5.0 ≤ Version: 9.6.0 ≤ Version: 9.7.0 ≤ Version: 9.8.0 ≤ Version: 9.9.0 ≤ Version: 10.0.0 ≤ Version: 10.1.0 ≤ Version: 10.2.0 ≤ Version: 10.3.0 ≤ Version: 10.4.0 ≤ Version: 10.5.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-3589",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T17:44:54.283745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T17:44:58.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"lessThan": "5.4.4",
"status": "affected",
"version": "5.4.0",
"versionType": "semver"
},
{
"lessThan": "5.4.5",
"status": "affected",
"version": "5.5.0",
"versionType": "semver"
},
{
"lessThan": "5.6.3",
"status": "affected",
"version": "5.6.0",
"versionType": "semver"
},
{
"lessThan": "5.7.3",
"status": "affected",
"version": "5.7.0",
"versionType": "semver"
},
{
"lessThan": "5.8.2",
"status": "affected",
"version": "5.8.0",
"versionType": "semver"
},
{
"lessThan": "5.9.2",
"status": "affected",
"version": "5.9.0",
"versionType": "semver"
},
{
"lessThan": "6.0.2",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
},
{
"lessThan": "6.1.3",
"status": "affected",
"version": "6.1.0",
"versionType": "semver"
},
{
"lessThan": "6.2.3",
"status": "affected",
"version": "6.2.0",
"versionType": "semver"
},
{
"lessThan": "6.3.2",
"status": "affected",
"version": "6.3.0",
"versionType": "semver"
},
{
"lessThan": "6.4.2",
"status": "affected",
"version": "6.4.0",
"versionType": "semver"
},
{
"lessThan": "6.5.2",
"status": "affected",
"version": "6.5.0",
"versionType": "semver"
},
{
"lessThan": "6.6.2",
"status": "affected",
"version": "6.6.0",
"versionType": "semver"
},
{
"lessThan": "6.7.1",
"status": "affected",
"version": "6.7.0",
"versionType": "semver"
},
{
"lessThan": "6.8.3",
"status": "affected",
"version": "6.8.0",
"versionType": "semver"
},
{
"lessThan": "6.9.5",
"status": "affected",
"version": "6.9.0",
"versionType": "semver"
},
{
"lessThan": "7.0.2",
"status": "affected",
"version": "7.0.0",
"versionType": "semver"
},
{
"lessThan": "7.1.2",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
},
{
"lessThan": "7.2.4",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
},
{
"lessThan": "7.3.1",
"status": "affected",
"version": "7.3.0",
"versionType": "semver"
},
{
"lessThan": "7.4.2",
"status": "affected",
"version": "7.4.0",
"versionType": "semver"
},
{
"lessThan": "7.5.2",
"status": "affected",
"version": "7.5.0",
"versionType": "semver"
},
{
"lessThan": "7.6.2",
"status": "affected",
"version": "7.6.0",
"versionType": "semver"
},
{
"lessThan": "7.7.3",
"status": "affected",
"version": "7.7.0",
"versionType": "semver"
},
{
"lessThan": "7.8.4",
"status": "affected",
"version": "7.8.0",
"versionType": "semver"
},
{
"lessThan": "7.9.2",
"status": "affected",
"version": "7.9.0",
"versionType": "semver"
},
{
"lessThan": "8.0.5",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
},
{
"lessThan": "8.1.4",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThan": "8.2.5",
"status": "affected",
"version": "8.2.0",
"versionType": "semver"
},
{
"lessThan": "8.3.4",
"status": "affected",
"version": "8.3.0",
"versionType": "semver"
},
{
"lessThan": "8.4.3",
"status": "affected",
"version": "8.4.0",
"versionType": "semver"
},
{
"lessThan": "8.5.5",
"status": "affected",
"version": "8.5.0",
"versionType": "semver"
},
{
"lessThan": "8.6.4",
"status": "affected",
"version": "8.6.0",
"versionType": "semver"
},
{
"lessThan": "8.7.3",
"status": "affected",
"version": "8.7.0",
"versionType": "semver"
},
{
"lessThan": "8.8.7",
"status": "affected",
"version": "8.8.0",
"versionType": "semver"
},
{
"lessThan": "8.9.5",
"status": "affected",
"version": "8.9.0",
"versionType": "semver"
},
{
"lessThan": "9.0.4",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.1.7",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "9.2.5",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThan": "9.3.6",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.4.5",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.5.4",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThan": "9.6.4",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThan": "9.7.3",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThan": "9.8.7",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"lessThan": "9.9.7",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThan": "10.0.6",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "10.1.4",
"status": "affected",
"version": "10.1.0",
"versionType": "semver"
},
{
"lessThan": "10.2.4",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
},
{
"lessThan": "10.3.8",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThan": "10.4.4",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
},
{
"lessThan": "10.5.3",
"status": "affected",
"version": "10.5.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "oolongeya"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T09:11:10.949Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/53ded097-274d-4850-82ee-620bf02f7553/"
},
{
"tags": [
"technical-description"
],
"url": "https://developer.woocommerce.com/2026/03/02/store-api-vulnerability-patched-in-woocommerce-5-4/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WooCommerce \u003c 10.5.3 - Arbitrary Admin User Creation via CSRF",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2026-3589",
"datePublished": "2026-03-06T09:11:10.949Z",
"dateReserved": "2026-03-05T10:41:21.729Z",
"dateUpdated": "2026-03-06T17:44:58.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15033 (GCVE-0-2025-15033)
Vulnerability from cvelistv5
Published
2025-12-22 18:57
Modified
2026-03-06 09:09
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Version: 8.1.0 ≤ Version: 8.2.0 ≤ Version: 8.3.0 ≤ Version: 8.4.0 ≤ Version: 8.5.0 ≤ Version: 8.6.0 ≤ Version: 8.7.0 ≤ Version: 8.8.0 ≤ Version: 8.9.0 ≤ Version: 9.0.0 ≤ Version: 9.1.0 ≤ Version: 9.2.0 ≤ Version: 9.3.0 ≤ Version: 9.4.0 ≤ Version: 9.5.0 ≤ Version: 9.6.0 ≤ Version: 9.7.0 ≤ Version: 9.8.0 ≤ Version: 9.9.0 ≤ Version: 10.0.0 ≤ Version: 10.1.0 ≤ Version: 10.2.0 ≤ Version: 10.3.0 ≤ Version: 10.4.0 ≤ |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-15033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-22T23:55:39.079754Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-22T23:56:11.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"lessThan": "8.1.3",
"status": "affected",
"version": "8.1.0",
"versionType": "semver"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "8.2.0",
"versionType": "semver"
},
{
"lessThan": "8.3.3",
"status": "affected",
"version": "8.3.0",
"versionType": "semver"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "8.4.0",
"versionType": "semver"
},
{
"lessThan": "8.5.4",
"status": "affected",
"version": "8.5.0",
"versionType": "semver"
},
{
"lessThan": "8.6.3",
"status": "affected",
"version": "8.6.0",
"versionType": "semver"
},
{
"lessThan": "8.7.2",
"status": "affected",
"version": "8.7.0",
"versionType": "semver"
},
{
"lessThan": "8.8.6",
"status": "affected",
"version": "8.8.0",
"versionType": "semver"
},
{
"lessThan": "8.9.4",
"status": "affected",
"version": "8.9.0",
"versionType": "semver"
},
{
"lessThan": "9.0.3",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
},
{
"lessThan": "9.1.5",
"status": "affected",
"version": "9.1.0",
"versionType": "semver"
},
{
"lessThan": "9.2.4",
"status": "affected",
"version": "9.2.0",
"versionType": "semver"
},
{
"lessThan": "9.3.5",
"status": "affected",
"version": "9.3.0",
"versionType": "semver"
},
{
"lessThan": "9.4.4",
"status": "affected",
"version": "9.4.0",
"versionType": "semver"
},
{
"lessThan": "9.5.3",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThan": "9.6.3",
"status": "affected",
"version": "9.6.0",
"versionType": "semver"
},
{
"lessThan": "9.7.2",
"status": "affected",
"version": "9.7.0",
"versionType": "semver"
},
{
"lessThan": "9.8.6",
"status": "affected",
"version": "9.8.0",
"versionType": "semver"
},
{
"lessThan": "9.9.6",
"status": "affected",
"version": "9.9.0",
"versionType": "semver"
},
{
"lessThan": "10.0.5",
"status": "affected",
"version": "10.0.0",
"versionType": "semver"
},
{
"lessThan": "10.1.3",
"status": "affected",
"version": "10.1.0",
"versionType": "semver"
},
{
"lessThan": "10.2.3",
"status": "affected",
"version": "10.2.0",
"versionType": "semver"
},
{
"lessThan": "10.3.7",
"status": "affected",
"version": "10.3.0",
"versionType": "semver"
},
{
"lessThan": "10.4.3",
"status": "affected",
"version": "10.4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter St\u00f6ckli"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability in WooCommerce 8.1 to 10.4.2 can allow logged-in customers to access order data of guest customers on sites with a certain configuration. This has been fixed in WooCommerce 10.4.3, as well as all the previously affected versions through point releases, starting from 8.1, where it has been fixed in 8.1.3. It does not affect WooCommerce 8.0 or earlier."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T09:09:36.936Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/f55fd7d3-7fbe-474f-9406-f47f8aee5e57/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WooCommerce - Subscriber/Customer+ Order Data Disclosure",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2025-15033",
"datePublished": "2025-12-22T18:57:39.687Z",
"dateReserved": "2025-12-22T15:54:08.585Z",
"dateUpdated": "2026-03-06T09:09:36.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-7320 (GCVE-0-2023-7320)
Vulnerability from cvelistv5
Published
2025-10-29 06:45
Modified
2026-04-08 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API's REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| automattic | WooCommerce |
Version: 0 ≤ 7.8.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-7320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T13:57:52.747432Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T14:19:46.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce",
"vendor": "automattic",
"versions": [
{
"lessThanOrEqual": "7.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "osama-hamad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.8.2, due to improper CORS handling on the Store API\u0027s REST endpoints allowing direct external access from any origin. This can allow unauthenticated attackers to extract sensitive user information including PII(Personal Identifiable Information)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:02:27.373Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7b2d1879-c337-41c9-9f47-f9c2fe8e5928?source=cve"
},
{
"url": "https://wpscan.com/vulnerability/d1cec296-b5df-4cea-8c0d-d03a975cb6af"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=2939652@woocommerce/trunk\u0026old=2933569@woocommerce/trunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-11T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce \u003c= 7.8.2 - Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-7320",
"datePublished": "2025-10-29T06:45:48.702Z",
"dateReserved": "2025-10-28T18:04:16.931Z",
"dateUpdated": "2026-04-08T17:02:27.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49042 (GCVE-0-2025-49042)
Vulnerability from cvelistv5
Published
2025-10-29 04:50
Modified
2026-04-28 16:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 10.0.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-49042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-29T13:31:11.476667Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-29T13:31:19.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "10.0.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "10.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "savphill | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:36.392Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.\u003cp\u003eThis issue affects WooCommerce: from n/a through \u003c= 10.0.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through \u003c= 10.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:58.197Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce/vulnerability/wordpress-woocommerce-plugin-10-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress WooCommerce plugin \u003c= 10.0.2 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49042",
"datePublished": "2025-10-29T04:50:12.507Z",
"dateReserved": "2025-05-30T14:04:26.750Z",
"dateUpdated": "2026-04-28T16:12:58.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-5062 (GCVE-0-2025-5062)
Vulnerability from cvelistv5
Published
2025-05-22 03:42
Modified
2026-04-08 17:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| automattic | WooCommerce |
Version: 0 ≤ 9.3.2 Version: 9.4 ≤ 9.4.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5062",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T13:31:32.634850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T13:31:43.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce",
"vendor": "automattic",
"versions": [
{
"lessThanOrEqual": "9.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.4.2",
"status": "affected",
"version": "9.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Antonio Rocco Spataro"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the \u0027customize-store\u0027 page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:23:41.731Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc2ee5bb-eeb8-4134-8f3f-b411e56457f0?source=cve"
},
{
"url": "https://github.com/woocommerce/woocommerce/blob/08dbc3b7dea140dd5dc19ee9c9ecd47dac0605b6/plugins/woocommerce/client/admin/client/customize-store/utils.js#L39C1-L56C2"
},
{
"url": "https://developer.woocommerce.com/2024/12/03/woocommerce-9-4-3-and-woocommerce-9-3-4-available-now/"
},
{
"url": "https://github.com/woocommerce/woocommerce/pull/53405/files"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-03T16:28:14.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-05-21T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce \u003c= 9.4.2 - PostMessage-Based Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-5062",
"datePublished": "2025-05-22T03:42:08.044Z",
"dateReserved": "2025-05-21T15:37:31.623Z",
"dateUpdated": "2026-04-08T17:23:41.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-26762 (GCVE-0-2025-26762)
Vulnerability from cvelistv5
Published
2025-03-27 15:52
Modified
2026-04-28 16:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through <= 9.7.0.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T16:16:44.444642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T16:17:11.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "9.7.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "9.7.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "savphill | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:35:14.525Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.\u003cp\u003eThis issue affects WooCommerce: from n/a through \u003c= 9.7.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce woocommerce allows Stored XSS.This issue affects WooCommerce: from n/a through \u003c= 9.7.0."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:11:40.353Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce/vulnerability/wordpress-woocommerce-plugin-9-7-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress WooCommerce plugin \u003c= 9.7.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-26762",
"datePublished": "2025-03-27T15:52:22.683Z",
"dateReserved": "2025-02-14T06:53:32.111Z",
"dateUpdated": "2026-04-28T16:11:40.353Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9944 (GCVE-0-2024-9944)
Vulnerability from cvelistv5
Published
2024-10-15 05:31
Modified
2026-04-08 17:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| automattic | WooCommerce |
Version: 0 ≤ 9.0.2 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:woothemes:woocommerce:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "woocommerce",
"vendor": "woothemes",
"versions": [
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9944",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-15T13:52:24.796142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-15T13:53:15.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce",
"vendor": "automattic",
"versions": [
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pedro Paniago"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:17:17.415Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b5dfe2a5-612f-4e6c-a639-4afcff2ffa4c?source=cve"
},
{
"url": "https://github.com/woocommerce/woocommerce/pull/49370"
},
{
"url": "https://raw.githubusercontent.com/woocommerce/woocommerce/trunk/changelog.txt"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3115837%40woocommerce%2Ftrunk\u0026old=3106873%40woocommerce%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-14T17:07:11.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce \u003c= 9.0.2 - Unauthenticated HTML Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9944",
"datePublished": "2024-10-15T05:31:31.921Z",
"dateReserved": "2024-10-14T17:06:23.598Z",
"dateUpdated": "2026-04-08T17:17:17.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-39666 (GCVE-0-2024-39666)
Vulnerability from cvelistv5
Published
2024-08-18 13:37
Modified
2026-04-28 16:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39666",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T13:41:10.672560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T13:41:17.377Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "9.1.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "stealthcopter (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce.\u003cp\u003eThis issue affects WooCommerce: from n/a through 9.1.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 9.1.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:08.243Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-9-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 9.1.3 or a higher version."
}
],
"value": "Update to 9.1.3 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WooCommerce plugin \u003c= 9.1.2 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-39666",
"datePublished": "2024-08-18T13:37:18.254Z",
"dateReserved": "2024-06-26T21:19:18.995Z",
"dateUpdated": "2026-04-28T16:10:08.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-35777 (GCVE-0-2024-35777)
Vulnerability from cvelistv5
Published
2024-07-09 09:57
Modified
2026-04-28 16:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-35777",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-09T13:57:43.424225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-09T13:57:49.301Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:21:47.313Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-9-2-content-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "9.0.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "8.9.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Savphill (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027) vulnerability in Automattic WooCommerce allows Content Spoofing.\u003cp\u003eThis issue affects WooCommerce: from n/a through 8.9.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027) vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2."
}
],
"impacts": [
{
"capecId": "CAPEC-148",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-148 Content Spoofing"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:55.316Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-9-2-content-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 9.0.0 or a higher version."
}
],
"value": "Update to 9.0.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WooCommerce plugin \u003c= 8.9.2 - Content Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-35777",
"datePublished": "2024-07-09T09:57:21.810Z",
"dateReserved": "2024-05-17T10:10:54.090Z",
"dateUpdated": "2026-04-28T16:09:55.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-22155 (GCVE-0-2024-22155)
Vulnerability from cvelistv5
Published
2024-04-07 17:56
Modified
2026-04-28 16:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T16:19:31.454004Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T20:14:30.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.946Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "8.6.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "8.5.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.\u003cp\u003eThis issue affects WooCommerce: from n/a through 8.5.2.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:08.800Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-5-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 8.6.0 or a higher version."
}
],
"value": "Update to 8.6.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WooCommerce plugin \u003c= 8.5.2 - Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-22155",
"datePublished": "2024-04-07T17:56:05.844Z",
"dateReserved": "2024-01-05T11:18:51.829Z",
"dateUpdated": "2026-04-28T16:09:08.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-52222 (GCVE-0-2023-52222)
Vulnerability from cvelistv5
Published
2024-01-08 18:53
Modified
2026-04-28 16:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:55:41.442Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-2-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52222",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-09T20:07:34.804520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:39:14.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "8.3.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "8.2.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.\u003cp\u003eThis issue affects WooCommerce: from n/a through 8.2.2.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:09:07.249Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-2-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u00a08.3.0 or a higher version."
}
],
"value": "Update to\u00a08.3.0 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WooCommerce Plugin \u003c= 8.2.2 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-52222",
"datePublished": "2024-01-08T18:53:05.442Z",
"dateReserved": "2023-12-29T13:04:52.567Z",
"dateUpdated": "2026-04-28T16:09:07.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-47777 (GCVE-0-2023-47777)
Vulnerability from cvelistv5
Published
2023-11-30 11:56
Modified
2026-04-28 16:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Automattic | WooCommerce |
Version: n/a < |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:16:43.678Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-1-1-contributor-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/woo-gutenberg-products-block/wordpress-woocommerce-blocks-plugin-11-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"tags": [
"third-party-advisory",
"technical-description",
"x_transferred"
],
"url": "https://patchstack.com/articles/authenticated-stored-xss-in-woocommerce-and-jetpack-plugin?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woocommerce",
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "8.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "8.1.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
},
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "woo-gutenberg-products-block",
"product": "WooCommerce Blocks",
"vendor": "Automattic",
"versions": [
{
"changes": [
{
"at": "11.1.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "11.1.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.\u003cp\u003eThis issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Automattic WooCommerce, Automattic WooCommerce Blocks allows Stored XSS.This issue affects WooCommerce: from n/a through 8.1.1; WooCommerce Blocks: from n/a through 11.1.1."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:08:51.789Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/woocommerce/wordpress-woocommerce-plugin-8-1-1-contributor-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/woo-gutenberg-products-block/wordpress-woocommerce-blocks-plugin-11-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
},
{
"tags": [
"third-party-advisory",
"technical-description"
],
"url": "https://patchstack.com/articles/authenticated-stored-xss-in-woocommerce-and-jetpack-plugin?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update\u00a0WooCommerce to\u00a08.2.0 or a higher version."
}
],
"value": "Update\u00a0WooCommerce to\u00a08.2.0 or a higher version."
},
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update\u00a0WooCommerce Blocks to\u00a011.1.2 or a higher version."
}
],
"value": "Update\u00a0WooCommerce Blocks to\u00a011.1.2 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress WooCommerce and WooCommerce Blocks plugins - Auth. Cross-Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-47777",
"datePublished": "2023-11-30T11:56:53.604Z",
"dateReserved": "2023-11-09T21:00:01.699Z",
"dateUpdated": "2026-04-28T16:08:51.789Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24323 (GCVE-0-2021-24323)
Vulnerability from cvelistv5
Published
2021-05-17 16:48
Modified
2024-08-03 19:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Cross-site Scripting (XSS)
Summary
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Automattic | WooCommerce |
Version: 5.2.0 < 5.2.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:28:23.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/6d262555-7ae4-4e36-add6-4baa34dc3010"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "WooCommerce",
"vendor": "Automattic",
"versions": [
{
"lessThan": "5.2.0",
"status": "affected",
"version": "5.2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "m0ze"
}
],
"descriptions": [
{
"lang": "en",
"value": "When taxes are enabled, the \"Additional tax classes\" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-17T16:48:53.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/6d262555-7ae4-4e36-add6-4baa34dc3010"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Woocommerce \u003c 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24323",
"STATE": "PUBLIC",
"TITLE": "Woocommerce \u003c 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "WooCommerce",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "5.2.0",
"version_value": "5.2.0"
}
]
}
}
]
},
"vendor_name": "Automattic"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "m0ze"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When taxes are enabled, the \"Additional tax classes\" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled"
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpscan.com/vulnerability/6d262555-7ae4-4e36-add6-4baa34dc3010",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/6d262555-7ae4-4e36-add6-4baa34dc3010"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24323",
"datePublished": "2021-05-17T16:48:53.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:28:23.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}