Filtered by vendor Woocommerce Subscriptions
Total 72 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2022-0775 1 Woocommerce 1 Woocommerce 2024-11-21 4.3 Medium
The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment
CVE-2021-32790 1 Woocommerce 1 Woocommerce 2024-11-21 4.9 Medium
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.
CVE-2021-24940 1 Woocommerce 1 Persian-woocommerce 2024-11-21 6.1 Medium
The Persian Woocommerce WordPress plugin through 5.8.0 does not escape the s parameter before outputting it back in an attribute in the admin dashboard, which could lead to a Reflected Cross-Site Scripting issue
CVE-2021-24938 1 Woocommerce 1 Woocommerce Currency Switcher 2024-11-21 6.1 Medium
The WOOCS WordPress plugin before 1.3.7.1 does not sanitise and escape the key parameter of the woocs_update_profiles_data AJAX action (available to any authenticated user) before outputting it back in the response, leading to a Reflected cross-Site Scripting issue
CVE-2021-24323 1 Woocommerce 1 Woocommerce 2024-11-21 4.8 Medium
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled
CVE-2021-24212 1 Woocommerce 1 Help Scout 2024-11-21 9.8 Critical
The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp.
CVE-2020-35627 1 Woocommerce 1 Gift Cards 2024-11-21 8.8 High
Ultimate WooCommerce Gift Cards 3.0.2 is affected by a file upload vulnerability in the Custom GiftCard Template that can remotely execute arbitrary code. Once it contains the function "Custom Gift Card Template", the function of uploading a custom image is used, changing the name of the image extension to PHP and executing PHP code on the server.
CVE-2020-29156 1 Woocommerce 1 Woocommerce 2024-11-21 5.3 Medium
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
CVE-2020-11497 1 Woocommerce 1 Nab Transact 2024-11-21 7.5 High
An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. An online payment system bypass allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details entry step.
CVE-2019-9168 1 Woocommerce 1 Woocommerce 2024-11-21 N/A
WooCommerce before 3.5.5 allows XSS via a Photoswipe caption.
CVE-2019-7441 1 Woocommerce 1 Paypal Checkout Payment Gateway 2024-11-21 N/A
cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state
CVE-2019-20891 1 Woocommerce 1 Woocommerce 2024-11-21 8.8 High
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php.
CVE-2019-18834 1 Woocommerce 1 Subscriptions 2024-11-21 6.1 Medium
Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php.
CVE-2019-14979 1 Woocommerce 1 Paypal Checkout Payment Gateway 2024-11-21 N/A
cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE: The plugin author states it is true that the amount can be manipulated in the PayPal payment flow. However, the amount is validated against the WooCommerce order total before completing the order, and if it doesn’t match then the order will be left in an “On Hold” state
CVE-2019-14978 1 Woocommerce 1 Payu India Payment Gateway 2024-11-21 N/A
/payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price.
CVE-2018-20714 1 Woocommerce 1 Woocommerce 2024-11-21 N/A
The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin.
CVE-2017-18356 1 Woocommerce 1 Woocommerce 2024-11-21 N/A
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.
CVE-2016-10987 1 Woocommerce 1 Persian Woocommerce Sms 2024-11-21 6.1 Medium
The persian-woocommerce-sms plugin before 3.3.4 for WordPress has ps_sms_numbers XSS.
CVE-2016-10112 1 Woocommerce 1 Woocommerce 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.
CVE-2015-2329 1 Woocommerce 1 Woocommerce 2024-11-21 N/A
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order.