N/A
2026-03-10< 10.5.3
WooCommerce < 10.5.3 - Cross-Site Request Forgery
WooCommerce
Minimum safe version
10.5.3
Update to 10.5.3 or later to address 94 fixable vulnerabilities
Latest available10.7.0 ✓Affected up to2.3.10 ⚠
Medium 6.5
2025-12-22< 10.4.3
CVE-2025-15033
N/A
2025-10-29< 10.0.3
CVE-2025-49042
Medium 6.1
2025-05-22< 9.3.4
WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting
Medium 5.9
2025-03-27< 9.7.1
CVE-2025-26762
N/A
2024-12-04< 9.4.3
WordPress WooCommerce Plugin < 9.4.3 is vulnerable to Broken Access Control
Medium 6.1
2024-10-15< 9.1.0
CVE-2024-9944
Medium 5.9
2024-08-18< 9.1.3
CVE-2024-39666
N/A
< 8.4.0
WooCommerce < 8.4.0 - Reflected Cross-Site Scripting
Low 3.5
2024-07-09< 9.0.0
CVE-2024-35777
Medium 5.4
2024-06-12< 8.9.3
CVE-2024-37297
N/A
2024-06-11< 8.9.3
WordPress WooCommerce Plugin <= 8.9.2 is vulnerable to Cross Site Scripting (XSS)
Medium 4.9
2024-04-15< 8.6
CVE-2024-1310
N/A
< 8.4.0
WordPress WooCommerce Plugin <= 8.3.0 is vulnerable to Cross Site Scripting (XSS)
Medium 4.3
2024-04-07< 8.6.0
CVE-2024-22155
N/A
2024-01-12< 8.4.0
WooCommerce < 8.4.0 - Reflected Cross-Site Scripting
Medium 4.3
2024-01-08< 8.3.0
CVE-2023-52222
N/A
< 7.9.0
WooCommerce < 7.9.0 - Sensitive Information Exposure
N/A
< 7.0.1
WooCommerce < 7.0.1 - Authenticated(Shop Manager+) Sensitive Information Exposure
Medium 6.5
2023-11-30< 8.2.0
CVE-2023-47777
N/A
< 7.9
WooCommerce < 7.9 - Unauthenticated Sensitive Information Disclosure
N/A
< 7.0.1
WooCommerce < 7.0.1 - Shop Manager+ User Metadata Disclosure
N/A
2023-09-11< 7.9.0
WooCommerce <= 7.8.2 - Sensitive Information Exposure
N/A
2023-09-11< 7.0.1
WooCommerce <= 7.0.0 - Authenticated(Shop Manager+) Sensitive Information Exposure
N/A
< 2.6.3
WooCommerce <= 2.6.2 - Authenticated Cross-Site Scripting (XSS)
N/A
< 2.3.11
WooCommerce 2.0.20-2.3.10 - Object Injection / XXE
N/A
< 2.4.9
WooCommerce <= 2.4.8 - Authenticated Cross-Site Scripting (XSS)
N/A
< 2.6.4
WooCommerce <= 2.6.3 - Stored Cross Site Scripting (XSS) via REST API
N/A
< 3.4.5
WooCommerce <= 3.4.4 - Potential Object Injection
N/A
< 3.4.6
WooCommerce <= 3.4.5 - Authenticated Object Injection
N/A
< 3.4.6
WooCommerce <= 3.4.5 - Authenticated Stored XSS
N/A
< 3.4.6
WooCommerce <= 3.4.5 - Authenticated Phar Deserialization
N/A
< 3.5.1
WooCommerce <= 3.5.0 - Authenticated Stored XSS
N/A
< 3.6.5
WooCommerce <= 3.6.4 - Cross-Site Request Forgery (CSRF) & File Type Check
N/A
< 4.1.0
WooCommerce < 4.1.0 - Unescaped Metadata when Duplicating Products
N/A
< 4.2.1
WooCommerce < 4.2.1 - Potential Cross-Site Scripting (XSS) via SelectWoo
N/A
< 4.6.2
WooCommerce < 4.6.2 - Guest Account Creation
N/A
< 5.7.0
WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Analytics Report Leaks
Medium 4.3
2024-01-16< 6.2.1
CVE-2022-0775
N/A
< 5.7.0
WooCommerce < 6.2.1 - Path Traversal via Importers
N/A
< 6.2.1
WooCommerce < 6.3.1 - Orders Marked as Paid (via PayPal Standard Gateway)
N/A
< 2.0.17
WooCommerce 2.0.17 - hide-wc-extensions-message Parameter Reflected XSS
N/A
< 2.0.13
WooCommerce 2.0.12 - index.php calc_shipping_state Parameter XSS
N/A
< 2.2.3
WooCommerce <= 2.1.12 - Reflected Cross-Site Scripting (XSS)
N/A
2013-07-18< 2.0.13
WooCommerce <= 2.0.12 - Self-Reflected Cross-Site Scripting
N/A
2013-10-17< 2.0.18
WooCommerce <= 2.0.17 - Cross-Site Scripting
N/A
2014-09-17< 2.2.3
WooCommerce <= 2.2.2 - Reflected Cross-Site Scripting
N/A
2015-06-10≥ 2.0.20 and ≤ 2.3.10
WooCommerce <= 2.3.10 - PHP Object Injection
N/A
2015-11-17< 2.4.9
WooCommerce < 2.4.9 - Cross-site Scripting
N/A
2016-07-19< 2.6.3
WooCommerce <= 2.6.2 - Stored Cross-Site Scripting
N/A
2016-07-26< 2.6.4
WooCommerce <= 2.6.3 - Stored Cross-Site Scripting via REST-API
N/A
2018-08-29< 3.4.5
WooCommerce <= 3.4.4 - Authenticated PHP Object Injection
N/A
2018-11-29< 3.5.2
WooCommerce <= 3.5.1 - Authenticated Stored Cross-Site Scripting
N/A
2019-07-02< 3.6.5
WooCommerce <= 3.6.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting
N/A
2019-07-02< 3.6.5
WooCommerce <= 3.6.4 - Missing File Type Validation
N/A
2020-05-05< 4.1.0
WooCommerce <= 4.0.4 - Unauthorized Post Meta Creation/Modification
N/A
2020-06-22< 4.2.1
WooCommerce <= 4.2.0 - Reflected Cross-Site Scripting
N/A
2020-11-05< 4.6.2
WooCommerce <= 4.6.1 & WooCommerce Blocks <= 3.7.0 - Settings Bypass leading to Account Creation
N/A
2022-02-22< 6.2.1
WooCommerce <= 6.2.0 - Path Traversal via Tax Importer
N/A
2022-02-22< 6.2.1
WooCommerce <= 6.2.0 - Incorrect Authorization Checks on REST API Endpoints
N/A
2022-03-10< 6.3.1
WooCommerce < 6.3.1 - Unauthorized Order Status Change
N/A
2022-04-10< 5.7.0
WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Information Disclosure
Medium 4.8
2022-07-17< 6.6.0
CVE-2022-2099
N/A
2015-05-15< 2.3.6
WordPress WooCommerce Plugin <= 2.3.5 - SQL Injection
N/A
2015-05-15< 2.0.13
WordPress WooCommerce Plugin <= 2.0.12 - Cross Site Scripting
N/A
2015-05-15< 2.0.18
WordPress WooCommerce Plugin <= 2.0.17 - Reflected Cross Site Scripting
N/A
2015-06-10< 2.2.3
WordPress WooCommerce Plugin <= 2.1.12 - Reflected XSS
N/A
2015-06-17< 2.3.11
WordPress WooCommerce Plugin <= 2.3.10 - XXE
N/A
2015-11-17< 2.4.9
WordPress WooCommerce Plugin <= 2.4.8 - Cross Site Scripting
N/A
2016-07-20< 2.6.3
WordPress WooCommerce Plugin <= 2.6.2 - Cross Site Scripting
N/A
2016-09-09< 2.6.4
WordPress WooCommerce Plugin <= 2.6.3 - Cross Site Scripting
N/A
2018-02-23< 3.2.4
WordPress WooCommerce plugin <=3.2.3 - Authenticated PHP Object Injection vulnerability
N/A
2018-09-01< 3.4.5
WordPress WooCommerce plugin <= 3.4.4 - Potential Object Injection vulnerability
N/A
2018-10-29< 3.4.6
WordPress WooCommerce plugin <= 3.4.5 - Authenticated Object Injection vulnerability
N/A
2018-11-07< 3.4.6
WordPress WooCommerce plugin <= 3.4.5 - Authenticated File Deletion to Privilege Escalation vulnerability
N/A
2018-12-11< 3.4.6
WordPress WooCommerce plugin <= 3.4.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
N/A
2019-01-07< 3.5.1
WordPress WooCommerce plugin <= 3.5.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability
Medium 6.1
2019-02-26< 3.5.5
CVE-2019-9168
N/A
2019-07-07< 3.6.5
WordPress WooCommerce plugin <= 3.6.4 - Cross-Site Request Forgery (CSRF) vulnerability
N/A
2020-11-06< 4.6.2
WordPress WooCommerce plugin <= 4.6.1 - Guest Account Creation vulnerability
N/A
2021-04-29< 5.2.0
WordPress WooCommerce plugin <= 5.1.0 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability
N/A
2021-07-15< 5.5.1
WordPress WooCommerce plugin <= 5.5.0 - Unauthenticated SQL Injection (SQLi) vulnerability
N/A
2021-09-22< 5.7.0
WordPress WooCommerce plugin <= 5.6.0 - Analytics Report Leaks vulnerability
N/A
2022-02-23< 6.2.1
WordPress WooCommerce plugin <= 6.2.0 - Arbitrary Comment Deletion vulnerability
N/A
2022-02-23< 6.2.1
WordPress WooCommerce plugin <= 6.2.0 - Path Traversal via Importers vulnerability
N/A
2022-03-10< 6.3.1
WordPress WooCommerce plugin <= 6.3.0 - Orders Status Change (via PayPal Standard Gateway) vulnerability
N/A
2014-10-14< 2.2.3
CVE-2014-6313
N/A
2015-02-24< 2.2.11
CVE-2015-2069
Medium 4.8
2017-01-04< 2.6.9
CVE-2016-10112
High 7.5
2017-11-29< 4.0
CVE-2017-17058
Medium 6.1
2018-02-08≥ 2.3 and ≤ 2.3.5
CVE-2015-2329
High 8.1
2019-01-15< 3.4.6
CVE-2018-20714
High 8.8
2019-01-15< 3.2.4
CVE-2017-18356
Medium 5.3
2020-12-27< 4.7.0
CVE-2020-29156
Medium 4.8
2021-05-17< 5.2.0
CVE-2021-24323
Medium 4.9
2021-07-26< 6.6.0
CVE-2021-32790