Exposure of WooCommerce

Ecommerce, WordPress plugins

1,859

exposure score

591,334

sites use

0

exploited

159

critical

Vexday analysis

O WooCommerce acumula 2.037 CVEs catalogadas, volume expressivo que reflete sua ampla adoção e superfície de ataque — das quais 158 são de severidade crítica e 137 surgiram nos últimos 90 dias, indicando ritmo elevado de descoberta recente. A taxa de exploração ativa está abaixo da média geral do catálogo KEV, com nenhuma entrada confirmada no momento, embora isso não elimine o risco operacional dado o alto volume de falhas críticas acumuladas. O tipo de falha mais frequente é CWE-79 (Cross-Site Scripting), padrão que exige atenção contínua em ambientes com múltiplos plugins e temas integrados. O CVE-2023-28121 merece prioridade imediata: seu score EPSS de 0,87 indica probabilidade muito elevada de exploração ativa nos próximos 30 dias, tornando-o o principal vetor de risco a ser tratado em qualquer plano de remediação.

CVEs

2,053 results

CVE-2023-50892HIGHWordPress TheGem Theme <= 5.9.1 is vulnerable to Cross Site Scripting (XSS)EPSS 0.3%CVE-2024-1796MEDIUMHUSKY – Products Filter for WooCommerce Professional <= 1.3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via ShortcodeEPSS 0.3%CVE-2024-12517MEDIUMWooCommerce Cart Count Shortcode <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.3%CVE-2024-4233MEDIUMBroken Access Control vulnerability in multiple WordPress plugins by Tyche SoftwaresEPSS 0.3%CVE-2025-31781MEDIUMWordPress Gift Cards for WooCommerce plugin <= 1.5.8 - Broken Access Control vulnerabilityEPSS 0.3%CVE-2025-31843MEDIUMWordPress OpenAI Tools for WordPress & WooCommerce plugin <= 2.2.1 - Broken Access Control vulnerabilityEPSS 0.3%CVE-2023-47694MEDIUMWordPress Mini Cart Drawer For WooCommerce plugin <= 4.0.0 - Broken Access Control vulnerabilityEPSS 0.3%CVE-2026-0679MEDIUMFortis for WooCommerce <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' EndpointEPSS 0.3%CVE-2020-36744MEDIUMNotificationX <= 1.8.2 - Cross-Site Request Forgery BypassEPSS 0.3%CVE-2020-36741MEDIUMMultiVendorX – MultiVendor Marketplace Solution For WooCommerce <= 3.5.7 - Cross-Site Request Forgery BypassEPSS 0.3%CVE-2026-27045HIGHWordPress WooCommerce Infinite Scroll plugin <= 1.6.2 - PHP Object Injection vulnerabilityEPSS 0.3%CVE-2024-2838MEDIUMWPC Composite Products for WooCommerce <= 7.2.7 - Authenticated (Subscriber+) Stored Cross-Site ScriptingEPSS 0.3%CVE-2024-55996MEDIUMWordPress Payment gateway per Product for WooCommerce plugin <= 3.5.6 - Broken Access Control vulnerabilityEPSS 0.3%CVE-2024-10853MEDIUMBuy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Order DeletionEPSS 0.3%CVE-2025-32541HIGHWordPress WooCommerce Sales MIS Report Plugin <= 4.0.3 - Reflected Cross Site Scripting (XSS) vulnerabilityEPSS 0.3%CVE-2024-54241MEDIUMWordPress Elite Notification plugin 1.5 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.3%CVE-2024-1419MEDIUMThe Plus Addons for Elementor <= 5.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting Header Meta Content WidgetEPSS 0.3%CVE-2024-1054MEDIUMBooster for WooCommerce <= 7.1.6 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.3%CVE-2024-11418MEDIUMAdditional Order Filters for WooCommerce <= 1.21 - Reflected Cross-Site ScriptingEPSS 0.3%CVE-2025-32570HIGHWordPress ChillPay WooCommerce Plugin <= 2.5.3 - CSRF to Stored XSS vulnerabilityEPSS 0.3%

← previouspage 51 / 103next →

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →