Woocommerce

This hub aggregates every CVE we track for Woocommerce, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Woocommerce.

• CVE-2022-50972WooCommerce 7.1.0 Remote Code Execution via class-wc-meta-box-product-images.php9.8Jun 20, 2026
• CVE-2026-3589WooCommerce < 10.5.3 - Arbitrary Admin User Creation via CSRF7.5Mar 6, 2026
• CVE-2025-15033WooCommerce - Subscriber/Customer+ Order Data Disclosure6.5Dec 22, 2025
• CVE-2023-7320WooCommerce <= 7.8.2 - Sensitive Information Exposure5.3Oct 29, 2025
• CVE-2025-49042WordPress WooCommerce plugin <= 10.0.2 - Cross Site Scripting (XSS) vulnerability5.9Oct 29, 2025
• CVE-2025-5062WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting6.1May 22, 2025
• CVE-2025-26762WordPress WooCommerce plugin <= 9.7.0 - Cross Site Scripting (XSS) vulnerability5.9Mar 27, 2025
• CVE-2024-9944WooCommerce <= 9.0.2 - Unauthenticated HTML Injection5.3Oct 15, 2024
• CVE-2024-39666WordPress WooCommerce plugin <= 9.1.2 - Cross Site Scripting (XSS) vulnerability5.9Aug 18, 2024
• CVE-2024-35777WordPress WooCommerce plugin <= 8.9.2 - Content Injection vulnerability3.5Jul 9, 2024
• CVE-2024-37297WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms5.4Jun 12, 2024
• CVE-2024-1310WooCommerce < 8.6 - Contributor+ Private/Draft Products Access4.9Apr 15, 2024
• CVE-2024-22155WordPress WooCommerce plugin <= 8.5.2 - Cross Site Request Forgery (CSRF) vulnerability4.3Apr 7, 2024
• CVE-2022-0775WooCommerce < 6.2.1 - Subscriber+ Arbitrary Comment Deletion4.3Jan 16, 2024
• CVE-2023-52222WordPress WooCommerce Plugin <= 8.2.2 is vulnerable to Cross Site Request Forgery (CSRF)4.3Jan 8, 2024