VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 10 known issues Latest disclosed Jan 21, 2026

WP eCommerce Vulnerabilities

Review known vulnerability records for the WordPress plugin WP eCommerce (`wp-e-commerce`), including severity, CVE references, affected versions, and patch status.

View on WordPress.org Back to Feed
Known Records
10
High or Critical
6
Linked CVEs
5
Last Updated
Feb 25, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for WP eCommerce so operators can quickly confirm whether a disclosed issue maps to the installed slug and version range.

Patch Visibility
10 records include a published patch path.
Severity Mix
3 critical and 3 high severity findings.
Reference Workflow
Jump from the hub into the full report when you need remediation notes, CVSS vector details, or source references.
Known Vulnerabilities

Reports for WP eCommerce

Sorted by latest disclosure date so newly published issues surface first.

Plugin High Patched: No CVE-2026-1235
eCommerce <= 3.15.1 - Unauthenticated PHP Object Injection

The eCommerce plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.15.1 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable s...

Published
Jan 21, 2026
Patched Release
Not published
Affected Versions
Versions up to 3.15.1
Next Step
Open the full report for remediation notes and references.
Open Full Report Open CVE Reference
Plugin Medium Patched: No CVE-2024-1516
WP eCommerce <= 3.15.1 - Missing Authorization to Unauthenticated Arbitrary Post Creation

The WP eCommerce plugin for WordPress is vulnerable to unauthorized arbitrary post creation due to a missing capability check on the check_for_saas_push() function in all versions up to, and including, 3.15.1. This makes it possible for unauthenticated attackers to create arbitra...

Published
Feb 27, 2024
Patched Release
Not published
Affected Versions
Versions up to 3.15.1
Next Step
Open the full report for remediation notes and references.
Open Full Report Open CVE Reference
Plugin Critical Patched: No CVE-2024-1514
WP eCommerce <= 3.15.1 - Unauthenticated SQL Injection

The WP eCommerce plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'cart_contents' parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

Published
Feb 27, 2024
Patched Release
Not published
Affected Versions
Versions up to 3.15.1
Next Step
Open the full report for remediation notes and references.
Open Full Report Open CVE Reference
Plugin High Patched: Yes
WP eCommerce < 3.11.4 - SQL Injection

The WP eCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘sessionid’ parameter in versions up to, and including, 3.11.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it poss...

Published
Nov 12, 2016
Patched Release
3.11.4
Affected Versions
Versions before 3.11.4
Next Step
Update to 3.11.4 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
WP eCommerce <= 3.9.2 - Reflected Cross-Site Scripting

The WP eCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'add_query_arg()' and 'remove_query_arg()' functions in versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauth...

Published
Apr 20, 2015
Patched Release
3.9.3
Affected Versions
Versions up to 3.9.2
Next Step
Update to 3.9.3 or newer if supported.
Open Full Report
Plugin High Patched: Yes
WP eCommerce <= 3.8.14.3 - Missing Authorization

The WP eCommerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on various functions called via AJAX actions and admin_init hooks in versions up to, and including, 3.8.14.3. This makes it possible for unauthenticated attackers to perfo...

Published
Nov 01, 2014
Patched Release
3.8.14.4
Affected Versions
Versions up to 3.8.14.3
Next Step
Update to 3.8.14.4 or newer if supported.
Open Full Report
Plugin Critical Patched: Yes CVE-2012-5310
WP eCommerce < 3.8.7.6 - SQL Injection

SQL injection vulnerability in the WP e-Commerce plugin before 3.8.7.6 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

Published
Oct 05, 2014
Patched Release
3.8.7.6
Affected Versions
Versions before 3.8.7.6
Next Step
Update to 3.8.7.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin Critical Patched: Yes
WP eCommerce <= 3.8.9 - SQL Injection

The WP eCommerce plugin for WordPress is vulnerable to generic SQL Injection via the ‘view_purchlogs_by_status’ parameter in versions up to, and including, 3.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL que...

Published
Aug 01, 2014
Patched Release
3.8.9.1
Affected Versions
Versions up to 3.8.9
Next Step
Update to 3.8.9.1 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes
WP eCommerce <= 3.8.9 - Cross-Site Scripting

The WP eCommerce plugin for WordPress is vulnerable to Cross-Site Scripting via the 'm' parameter in versions up to, and including, 3.8.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

Published
Aug 01, 2014
Patched Release
3.8.9.1
Affected Versions
Versions up to 3.8.9
Next Step
Update to 3.8.9.1 or newer if supported.
Open Full Report
Plugin Medium Patched: Yes CVE-2011-5104
WP eCommerce < 3.8.7.2 - Stored Cross-Site Scripting

Cross-site scripting (XSS) vulnerability in wpsc-admin/display-sales-logs.php in WP e-Commerce plugin 3.8.7.1 and possibly earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the custom_text parameter. NOTE: some of these details are obtained...

Published
Nov 21, 2011
Patched Release
3.8.7.2
Affected Versions
Versions before 3.8.7.2
Next Step
Update to 3.8.7.2 or newer if supported.
Open Full Report Open CVE Reference