Exposure of WooCommerce

Ecommerce, WordPress plugins
1,882
exposure score
591,334
sites use
0
exploited
160
critical
Vexday analysis

O WooCommerce acumula 2.037 CVEs catalogadas, volume expressivo que reflete sua ampla adoção e superfície de ataque — das quais 158 são de severidade crítica e 137 surgiram nos últimos 90 dias, indicando ritmo elevado de descoberta recente. A taxa de exploração ativa está abaixo da média geral do catálogo KEV, com nenhuma entrada confirmada no momento, embora isso não elimine o risco operacional dado o alto volume de falhas críticas acumuladas. O tipo de falha mais frequente é CWE-79 (Cross-Site Scripting), padrão que exige atenção contínua em ambientes com múltiplos plugins e temas integrados. O CVE-2023-28121 merece prioridade imediata: seu score EPSS de 0,87 indica probabilidade muito elevada de exploração ativa nos próximos 30 dias, tornando-o o principal vetor de risco a ser tratado em qualquer plano de remediação.

CVEs

2,060 results
CVE-2026-39437HIGHWordPress Min Max Step Quantity Limits Manager for WooCommerce plugin <= 5.2.2 - Reflected Cross Site Scripting (XSS) vulnerabilityEPSS 0.1%CVE-2025-28984MEDIUMWordPress Subscription Renewal Reminders for WooCommerce plugin <= 1.4.1 - Cross Site Request Forgery (CSRF) vulnerabilityEPSS 0.1%CVE-2025-47451MEDIUMWordPress Product Quantity Dropdown For Woocommerce plugin <= 1.2 - Cross Site Request Forgery (CSRF) to Settings Change vulnerabilityEPSS 0.1%CVE-2025-53203MEDIUMWordPress WooCommerce PDF Invoice Builder plugin <= 1.2.148 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2025-39453MEDIUMWordPress Advanced Dynamic Pricing for WooCommerce plugin <= 4.9.3 - Cross Site Request Forgery (CSRF) to Settings Change vulnerabilityEPSS 0.1%CVE-2025-48111MEDIUMWordPress YITH PayPal Express Checkout for WooCommerce plugin <= 1.49.0 - Cross Site Request Forgery (CSRF) vulnerabilityEPSS 0.1%CVE-2025-54675MEDIUMWordPress YITH WooCommerce Popup Plugin plugin <= 1.48.0 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2026-6370MEDIUMWordPress Mini Ajax Cart for WooCommerce plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.1%CVE-2025-12191MEDIUMPDF Catalog for WooCommerce <= 1.1.18 - Authenticated (Subscriber+) Stored Cross-Site ScriptingEPSS 0.1%CVE-2026-9618MEDIUMPeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe UnlinkEPSS 0.1%CVE-2024-13682MEDIUMWallet System for WooCommerce – Wallet, Wallet Cashback, Refunds, Partial Payment, Wallet Restriction <= 2.6.2 - Cross-Site Request ForgeryEPSS 0.1%CVE-2025-58878MEDIUMWordPress Woocommerce Gifts Product Plugin <= 1.0.0 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2025-47473MEDIUMWordPress PW WooCommerce Bulk Edit plugin <= 2.134 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2025-49239MEDIUMWordPress Print Invoice & Delivery Notes for WooCommerce plugin <= 5.5.0 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2025-68528MEDIUMWordPress Free Shipping Bar: Amount Left for Free Shipping for WooCommerce plugin <= 2.4.9 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.1%CVE-2025-64380MEDIUMWordPress Booster for WooCommerce plugin <= 7.3.2 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.1%CVE-2025-69088MEDIUMWordPress Combo Offers WooCommerce plugin <= 4.2 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.1%CVE-2025-54674MEDIUMWordPress Product Configurator for WooCommerce Plugin plugin <= 1.4.4 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%CVE-2025-27355HIGHWordPress Woocommerce – Loi Hamon Plugin <= 1.1.0 - CSRF to Stored XSS vulnerabilityEPSS 0.1%CVE-2025-58804MEDIUMWordPress WooCommerce Single Page Checkout Plugin <= 1.2.7 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.1%