Exposure of WooCommerce

Ecommerce, WordPress plugins

1,807

exposure score

591,334

sites use

0

exploited

158

critical

Vexday analysis

O WooCommerce acumula 2.037 CVEs catalogadas, volume expressivo que reflete sua ampla adoção e superfície de ataque — das quais 158 são de severidade crítica e 137 surgiram nos últimos 90 dias, indicando ritmo elevado de descoberta recente. A taxa de exploração ativa está abaixo da média geral do catálogo KEV, com nenhuma entrada confirmada no momento, embora isso não elimine o risco operacional dado o alto volume de falhas críticas acumuladas. O tipo de falha mais frequente é CWE-79 (Cross-Site Scripting), padrão que exige atenção contínua em ambientes com múltiplos plugins e temas integrados. O CVE-2023-28121 merece prioridade imediata: seu score EPSS de 0,87 indica probabilidade muito elevada de exploração ativa nos próximos 30 dias, tornando-o o principal vetor de risco a ser tratado em qualquer plano de remediação.

CVEs

2,037 results

CVE-2025-24705MEDIUMWordPress WooCommerce Quick View plugin <= 1.1.1 - Sensitive Data Exposure vulnerabilityEPSS 0.5%CVE-2023-2275MEDIUMWooCommerce Multivendor Marketplace – REST API <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order/Order Note Disclosure, Order Note Addition via REST APIEPSS 0.5%CVE-2025-26535CRITICALWordPress Bitcoin / AltCoin Payment Gateway for WooCommerce & Multivendor store / shop plugin <= 1.7.6 - SQL Injection vulnerabilityEPSS 0.5%CVE-2026-24372HIGHWordPress Subscriptions for WooCommerce plugin <= 1.8.10 - Bypass Vulnerability vulnerabilityEPSS 0.5%CVE-2024-12395MEDIUMWooCommerce Additional Fees On Checkout (Free) <= 1.4.7 - Reflected Cross-Site Scripting via 'number'EPSS 0.5%CVE-2025-30618CRITICALWordPress Rapyd Payment Extension for WooCommerce plugin <= 1.2.0 - PHP Object Injection VulnerabilityEPSS 0.5%CVE-2024-13234HIGHProduct Table by WBW <= 2.1.2 - Unuthenticated SQL InjectionEPSS 0.5%CVE-2025-48124HIGHWordPress Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light plugin <= 2.4.37 - Arbitrary File Download VulnerabilityEPSS 0.5%CVE-2023-1839MEDIUMProduct Addons & Fields for WooCommerce < 32.0.6 - Admin+ Stored Cross-Site ScriptingEPSS 0.5%CVE-2025-24625MEDIUMWordPress Taxonomy/Term and Role based Discounts for WooCommerce plugin <= 5.1 - Cross Site Request Forgery (CSRF) to Settings Change vulnerabilityEPSS 0.5%CVE-2023-7151MEDIUMProduct Enquiry for WooCommerce < 3.2 - Reflected XSSEPSS 0.5%CVE-2022-34344MEDIUMWordPress Wholesale Suite Plugin <= 2.1.5 is vulnerable to Broken Access ControlEPSS 0.5%CVE-2024-32516MEDIUMWordPress Multi Currency For WooCommerce plugin <= 1.5.5 - Broken Access Control vulnerabilityEPSS 0.5%CVE-2024-32524MEDIUMWordPress Custom Order Statuses for WooCommerce plugin <= 1.5.2 - Broken Access Control vulnerabilityEPSS 0.5%CVE-2025-49380CRITICALWordPress WooCommerce Vehicle Parts Finder plugin <= 3.7 - PHP Object Injection vulnerabilityEPSS 0.5%CVE-2025-30839MEDIUMWordPress Taxi Booking Manager for WooCommerce plugin <= 1.2.1 - Broken Access Control vulnerabilityEPSS 0.5%CVE-2026-47100HIGHFunnel Builder for WooCommerce Checkout < 3.15.0.3 Missing Authorization via AJAXEPSS 0.5%CVE-2023-0492MEDIUMGS Products Slider for WooCommerce < 1.5.9 - Contributor+ Stored XSSEPSS 0.5%CVE-2024-0766MEDIUMEnvo's Elementor Templates & Widgets for WooCommerce <= 1.4.4 - Missing Authorization via templates_ajax_requestEPSS 0.5%CVE-2024-6448MEDIUMMollie Payments for WooCommerce <= 7.7.0 - Unauthenticated Full Path DisclosureEPSS 0.5%

← previouspage 28 / 102next →

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →