Filtered by vendor Woocommerce
Subscriptions
Filtered by product Woocommerce
Subscriptions
Total
205 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-57917 | 3 Printcart, Woocommerce, Wordpress | 3 Web To Print Product Designer, Woocommerce, Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce printcart-integration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Printcart Web to Print Product Designer for WooCommerce: from n/a through <= 2.4.8. | ||||
| CVE-2025-57972 | 3 Woocommerce, Wordpress, Wpfactory | 3 Woocommerce, Wordpress, Helpdesk Support Ticket System | 2026-04-15 | N/A |
| Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through <= 2.1.1. | ||||
| CVE-2025-12545 | 3 Alekv, Woocommerce, Wordpress | 3 Pixel Manager For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | 5.3 Medium |
| The Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.49.2 via the ajax_pmw_get_product_ids() function due to insufficient restrictions on which products can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft products that they should not have access to. | ||||
| CVE-2025-60171 | 3 Woocommerce, Wordpress, Yourplugins | 3 Woocommerce, Wordpress, Conditional Cart Messages For Woocommerce | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in yourplugins Conditional Cart Messages for WooCommerce – YourPlugins.com yourplugins-wc-conditional-cart-notices allows Stored XSS.This issue affects Conditional Cart Messages for WooCommerce – YourPlugins.com: from n/a through <= 1.2.10. | ||||
| CVE-2025-59565 | 3 Woocommerce, Wordpress, Wp Swings | 3 Woocommerce, Wordpress, Upsell Order Bump Offer For Woocommerce | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Swings Upsell Order Bump Offer for WooCommerce upsell-order-bump-offer-for-woocommerce allows Stored XSS.This issue affects Upsell Order Bump Offer for WooCommerce: from n/a through <= 3.0.7. | ||||
| CVE-2025-62005 | 3 Fantasticplugins, Woocommerce, Wordpress | 3 Sumomemberships, Woocommerce, Wordpress | 2026-04-15 | 7.1 High |
| Cross-Site Request Forgery (CSRF) vulnerability in FantasticPlugins SUMO Memberships for WooCommerce sumomemberships allows Cross Site Request Forgery.This issue affects SUMO Memberships for WooCommerce: from n/a through < 7.8.0. | ||||
| CVE-2025-5391 | 2 Woocommerce, Wordpress | 3 Woocommerce, Woocommerce Purchase Orders Plugin, Wordpress | 2026-04-15 | 8.1 High |
| The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2025-60173 | 3 Ashwani Kumar, Woocommerce, Wordpress | 3 Gst For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in Ashwani kumar GST for WooCommerce gst-for-woocommerce allows Stored XSS.This issue affects GST for WooCommerce: from n/a through <= 2.0. | ||||
| CVE-2025-49434 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2026-04-15 | N/A |
| Deserialization of Untrusted Data vulnerability in axiomthemes Cars4Rent cars4rent allows Object Injection.This issue affects Cars4Rent: from n/a through <= 1.4.2. | ||||
| CVE-2025-62151 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2026-04-15 | 8.8 High |
| Missing Authorization vulnerability in Virtuaria Virtuaria PagBank / PagSeguro para Woocommerce virtuaria-pagseguro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Virtuaria PagBank / PagSeguro para Woocommerce: from n/a through <= 3.6.3. | ||||
| CVE-2025-10162 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2026-04-15 | 7.5 High |
| The Admin and Customer Messages After Order for WooCommerce: OrderConvo WordPress plugin before 14 does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/download arbitrary files via a path traversal attack | ||||
| CVE-2025-69045 | 3 Fooevents, Woocommerce, Wordpress | 3 Fooevents For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FooEvents FooEvents for WooCommerce fooevents allows SQL Injection.This issue affects FooEvents for WooCommerce: from n/a through <= 1.20.4. | ||||
| CVE-2024-0626 | 2 Woocommerce, Zaytech | 2 Woocommerce, Woocommerce Clover Payment Gateway | 2026-04-15 | 5.3 Medium |
| The WooCommerce Clover Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the callback_handler function in all versions up to, and including, 1.3.1. This makes it possible for unauthenticated attackers to mark orders as paid. | ||||
| CVE-2025-10412 | 2 Woocommerce, Wordpress | 2 Woocommerce, Wordpress | 2026-04-15 | 9.8 Critical |
| The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.55. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
| CVE-2025-12191 | 3 Ovologics, Woocommerce, Wordpress | 3 Pdf Catalog For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | 5.4 Medium |
| The PDF Catalog for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdfcatalog' AJAX action in all versions up to, and including, 1.1.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-12964 | 3 Nalam-1, Woocommerce, Wordpress | 3 Magical Products Display, Woocommerce, Wordpress | 2026-04-15 | 6.4 Medium |
| The Magical Products Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mpdpr_title_tag' and 'mpdpr_subtitle_tag' parameters in the MPD Pricing Table widget in all versions up to, and including, 1.1.29 due to insufficient input sanitization and output escaping on user-supplied HTML tag names. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-13156 | 3 Appsbd, Woocommerce, Wordpress | 3 Vitepos, Woocommerce, Wordpress | 2026-04-15 | 8.8 High |
| The Vitepos – Point of Sale (POS) for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the insert_media_attachment() function in all versions up to, and including, 3.3.0. This is due to the save_update_category_img() function accepting user-supplied file types without validation when processing category images. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which makes remote code execution possible. | ||||
| CVE-2025-10861 | 4 Popup Builder, Roxnor, Woocommerce and 1 more | 4 Popup Builder, Popup Builder, Woocommerce and 1 more | 2026-04-15 | 7.5 High |
| The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.1.4. This is due to insufficient validation on the URLs supplied via the URL parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, as well as conduct network reconnaissance. The vulnerability was partially patched in version 2.1.4. | ||||
| CVE-2025-49356 | 3 Mykola Lukin, Woocommerce, Wordpress | 3 Orders Chat For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in Mykola Lukin Orders Chat for WooCommerce orders-chat-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orders Chat for WooCommerce: from n/a through <= 1.2.0. | ||||
| CVE-2025-62081 | 3 Channelize.io, Woocommerce, Wordpress | 3 Live Shopping & Shoppable Videos For Woocommerce, Woocommerce, Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce live-shopping-video-streams allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through <= 2.2.0. | ||||