Exposure of WooCommerce

Ecommerce, WordPress plugins
1,882
exposure score
591,334
sites use
0
exploited
160
critical
Vexday analysis

O WooCommerce acumula 2.037 CVEs catalogadas, volume expressivo que reflete sua ampla adoção e superfície de ataque — das quais 158 são de severidade crítica e 137 surgiram nos últimos 90 dias, indicando ritmo elevado de descoberta recente. A taxa de exploração ativa está abaixo da média geral do catálogo KEV, com nenhuma entrada confirmada no momento, embora isso não elimine o risco operacional dado o alto volume de falhas críticas acumuladas. O tipo de falha mais frequente é CWE-79 (Cross-Site Scripting), padrão que exige atenção contínua em ambientes com múltiplos plugins e temas integrados. O CVE-2023-28121 merece prioridade imediata: seu score EPSS de 0,87 indica probabilidade muito elevada de exploração ativa nos próximos 30 dias, tornando-o o principal vetor de risco a ser tratado em qualquer plano de remediação.

CVEs

2,060 results
CVE-2025-1362MEDIUMeasy-broken-link-checker <= 9.0.2 - Bulk Actions via CSRFEPSS 0.2%CVE-2026-4140MEDIUMNi WooCommerce Order Export <= 3.1.6 - Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX ActionEPSS 0.2%CVE-2025-64196HIGHWordPress Booster for WooCommerce plugin <= 7.2.5 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.2%CVE-2025-7960MEDIUMKing Addons for Elementor <= 51.1.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple WidgetsEPSS 0.2%CVE-2025-58985MEDIUMWordPress Additional Custom Product Tabs for WooCommerce Plugin <= 1.7.3 - Cross Site Scripting (XSS) VulnerabilityEPSS 0.2%CVE-2024-13718MEDIUMFlexible Wishlist for WooCommerce – Ecommerce Wishlist & Save for later <= 1.2.26 - Cross-Site Request Forgery to Wishlist Creation/ModificationEPSS 0.2%CVE-2026-4110MEDIUMUltimate WooCommerce Auction Pro <= 2.4.5 - Reflected XSS via uwa_auctions_bids_listEPSS 0.2%CVE-2025-49510MEDIUMWordPress Min Max Step Quantity Limits Manager for WooCommerce plugin <= 5.1.0 - Cross Site Request Forgery (CSRF) vulnerabilityEPSS 0.1%CVE-2025-12881MEDIUMReturn Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message ReadEPSS 0.1%CVE-2025-57914MEDIUMWordPress Deliver via Shipos for WooCommerce plugin <= 3.0.2 - Cross Site Request Forgery (CSRF) vulnerabilityEPSS 0.1%CVE-2026-2385MEDIUMThe Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Unauthenticated Email RelayEPSS 0.1%CVE-2026-0939MEDIUMRede Itaú for WooCommerce — Payment PIX, Credit Card and Debit <= 5.1.2 - Unauthenticated Order Status ManipulationEPSS 0.1%CVE-2025-32263MEDIUMWordPress Sequential Order Numbers for WooCommerce plugin <= 3.6.2 - Cross Site Request Forgery (CSRF) vulnerabilityEPSS 0.1%CVE-2025-30631HIGHReflected Cross Site Scripting (XSS) vulnerability in AA-Team WordPress pluginsEPSS 0.1%CVE-2026-4259HIGHUltimate WooCommerce Auction Pro <= 2.4.5 - Reflected XSS via uwa_manage_auctionsEPSS 0.1%CVE-2025-46243MEDIUMWordPress Recover abandoned cart for WooCommerce plugin <= 2.2 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2025-39472MEDIUMWordPress WooCommerce Social Login plugin < 2.8.3 - Cross Site Request Forgery (CSRF) vulnerabilityEPSS 0.1%CVE-2025-27342MEDIUMWordPress WooCommerce Recargo de Equivalencia Plugin <= 1.6.24 - Cross Site Request Forgery (CSRF) vulnerabilityEPSS 0.1%CVE-2025-57977HIGHWordPress Flexible PDF Invoices for WooCommerce & WordPress Plugin <= 6.0.13 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2022-44630MEDIUMWordPress YITH WooCommerce Product Slider Carousel plugin <= 1.16.0 - Cross-Site Request Forgery (CSRF)EPSS 0.1%