VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 44 known issues Latest disclosed Mar 10, 2026

WooCommerce Vulnerabilities

Review known vulnerability records for the WordPress plugin WooCommerce (`woocommerce`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-3589, CVE-2025-15033 and CVE-2025-49042, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
44
High or Critical
10
Patch Coverage
100%
Last Updated
Mar 19, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WooCommerce so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
44 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
0 critical and 10 high severity findings.
Recent CVEs
CVE-2026-3589, CVE-2025-15033 and CVE-2025-49042
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-3589 Medium Patch path listed

WooCommerce < 10.5.3 - Cross-Site Request Forgery

The WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 10.5.3 (exclusive). This is due to missing or incorrect nonce validation on a function....

Published
Mar 10, 2026
Patch Status
10.5.3
Open Full Report
Known Vulnerabilities

Reports for WooCommerce

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-3589
WooCommerce < 10.5.3 - Cross-Site Request Forgery

The WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 10.5.3 (exclusive). This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action gr...

Published
Mar 10, 2026
Patched Release
10.5.3
Affected Versions
Versions before 10.5.3
Next Step
Update to 10.5.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-15033
WooCommerce <= 10.4.2 - Authenticated (Subscriber+) Information Exposure

The WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

Published
Dec 22, 2025
Patched Release
10.0.5
Affected Versions
10.0 through 10.0.4
Next Step
Update to 10.0.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-49042
WooCommerce <= 10.0.2 - Authenticated (Shop manager+) Stored Cross-Site Scripting

The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 10.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to...

Published
Oct 29, 2025
Patched Release
10.0.3
Affected Versions
Versions up to 10.0.2
Next Step
Update to 10.0.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-5062
WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting

The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unaut...

Published
May 21, 2025
Patched Release
9.3.4
Affected Versions
Versions up to 9.3.2
Next Step
Update to 9.3.4 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-26762
WooCommerce <= 9.7.0 - Authenticated (Shop Manager+) Stored Cross-Site Scripting

The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level...

Published
Mar 12, 2025
Patched Release
9.7.1
Affected Versions
Versions up to 9.7.0
Next Step
Update to 9.7.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-9944
WooCommerce <= 9.0.2 - Unauthenticated HTML Injection

The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary...

Published
Oct 14, 2024
Patched Release
9.1.0
Affected Versions
Versions up to 9.0.2
Next Step
Update to 9.1.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-39666
WooCommerce <= 9.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

The WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 9.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to...

Published
Aug 16, 2024
Patched Release
9.1.3
Affected Versions
Versions up to 9.1.2
Next Step
Update to 9.1.3 or newer if supported.
Open Full Report Open CVE Reference
Plugin Low Patched: Yes CVE-2024-35777
WooCommerce <= 8.9.2 - Authenticated (Shop Manager+) Content Injection

The WooCommerce plugin for WordPress is vulnerable to content injection in all versions up to, and including, 8.9.2. This is due to the plugin not properly restricting/validating content. This makes it possible for authenticated attackers, with Shop Manager-level access and above...

Published
Jun 27, 2024
Patched Release
9.0.0
Affected Versions
Versions up to 8.9.2
Next Step
Update to 9.0.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-37297
WooCommerce 8.8.0 - 8.9.2 - Reflected Cross-Site Scripting via Order Attribution

The WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via order attribution cookies in versions 8.8.0 to 8.8.4 and 8.9.0 to 8.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inj...

Published
Jun 10, 2024
Patched Release
8.8.5
Affected Versions
8.8.0 through 8.8.4
Next Step
Update to 8.8.5 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2024-22155
WooCommerce <= 8.5.2 - Cross-Site Request Forgery

The WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.5.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via...

Published
Apr 05, 2024
Patched Release
8.6.0
Affected Versions
Versions up to 8.5.2
Next Step
Update to 8.6.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes
WooCommerce < 8.4.0 - Reflected Cross-Site Scripting

The WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions before 8.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute...

Published
Jan 12, 2024
Patched Release
8.4.0
Affected Versions
Versions before 8.4.0
Next Step
Update to 8.4.0 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes CVE-2023-52222
WooCommerce <= 8.2.2 - Cross-Site Request Forgery

The WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.2.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via...

Published
Jan 05, 2024
Patched Release
8.3.0
Affected Versions
Versions up to 8.2.2
Next Step
Update to 8.3.0 or newer if supported.
Open Full Report Open CVE Reference