Exposure of WooCommerce

Ecommerce, WordPress plugins

1,859

exposure score

591,334

sites use

0

exploited

159

critical

Vexday analysis

O WooCommerce acumula 2.037 CVEs catalogadas, volume expressivo que reflete sua ampla adoção e superfície de ataque — das quais 158 são de severidade crítica e 137 surgiram nos últimos 90 dias, indicando ritmo elevado de descoberta recente. A taxa de exploração ativa está abaixo da média geral do catálogo KEV, com nenhuma entrada confirmada no momento, embora isso não elimine o risco operacional dado o alto volume de falhas críticas acumuladas. O tipo de falha mais frequente é CWE-79 (Cross-Site Scripting), padrão que exige atenção contínua em ambientes com múltiplos plugins e temas integrados. O CVE-2023-28121 merece prioridade imediata: seu score EPSS de 0,87 indica probabilidade muito elevada de exploração ativa nos próximos 30 dias, tornando-o o principal vetor de risco a ser tratado em qualquer plano de remediação.

CVEs

2,053 results

CVE-2026-56027CRITICALWordPress Booster for WooCommerce plugin <= 8.0.1 - Arbitrary File Upload vulnerabilityEPSS 0.3%CVE-2026-2554HIGHWCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User DeletionEPSS 0.3%CVE-2025-62015HIGHWordPress Advanced Coupons for WooCommerce Coupons plugin <= 4.6.8 - SQL Injection vulnerabilityEPSS 0.3%CVE-2026-3355MEDIUMCustomer Reviews for WooCommerce <= 5.101.0 - Reflected Cross-Site Scripting via 'crsearch'EPSS 0.3%CVE-2025-12500MEDIUMCheckout Field Manager (Checkout Manager) for WooCommerce <= 7.8.1 - Unauthenticated Limited File UploadEPSS 0.3%CVE-2024-43134MEDIUMWordPress Waitlist Woocommerce plugin <= 2.6 - Broken Access Control vulnerabilityEPSS 0.3%CVE-2023-35912MEDIUMWordPress Potent Donations for WooCommerce Plugin <= 1.1.9 is vulnerable to Cross Site Request Forgery (CSRF)EPSS 0.3%CVE-2024-37201MEDIUMWordPress Woocommerce Customers Order History plugin <= 5.2.2 - Broken Access Control vulnerabilityEPSS 0.3%CVE-2024-37203MEDIUMWordPress Laybuy Payment Extension for WooCommerce plugin <= 5.3.9 - Broken Access Control vulnerabilityEPSS 0.3%CVE-2025-67909HIGHWordPress Membership For WooCommerce plugin <= 3.0.3 - Insecure Direct Object References (IDOR) vulnerabilityEPSS 0.3%CVE-2024-12336MEDIUMWC Affiliate – A Complete WooCommerce Affiliate Plugin <= 2.5.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via wf-export-allEPSS 0.3%CVE-2024-12384MEDIUMBinary MLM Woocommerce <= 2.0 - Reflected Cross-Site Scripting via 'page'EPSS 0.3%CVE-2025-68022HIGHWordPress Plugin BlueX for WooCommerce plugin <= 3.1.6 - Broken Access Control vulnerabilityEPSS 0.3%CVE-2024-6836MEDIUMFunnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells <= 3.4.6 - Missing Authorization to Authenticated (Contributor+) Settings UpdateEPSS 0.3%CVE-2024-12826MEDIUMGoHero Store Customizer for WooCommerce <= 3.5 - Missing Authorization to Unuthenticated Settings UpdateEPSS 0.3%CVE-2023-32296HIGHWordPress Kangu para WooCommerce Plugin <= 2.2.9 is vulnerable to Cross Site Scripting (XSS)EPSS 0.3%CVE-2023-39162HIGHWordPress User Email Verification for WooCommerce Plugin <= 3.5.0 is vulnerable to Cross Site Scripting (XSS)EPSS 0.3%CVE-2023-41691HIGHWordPress WooCommerce PensoPay Plugin <= 6.3.1 is vulnerable to Cross Site Scripting (XSS)EPSS 0.3%CVE-2024-4608MEDIUMSellKit – Funnel builder and checkout optimizer for WooCommerce to sell more, faster <= 1.9.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via id ParameterEPSS 0.3%CVE-2025-31411MEDIUMWordPress Linet ERP-Woocommerce Integration plugin <= 3.5.12 - Arbitrary File Read/Deletion vulnerabilityEPSS 0.3%

← previouspage 56 / 103next →

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →