Exposición de WooCommerce

Ecommerce, WordPress plugins
1865
score de exposición
591.334
sitios usan
0
en explotación
159
críticos
Análisis Vexday

O WooCommerce acumula 2.037 CVEs catalogadas, volume expressivo que reflete sua ampla adoção e superfície de ataque — das quais 158 são de severidade crítica e 137 surgiram nos últimos 90 dias, indicando ritmo elevado de descoberta recente. A taxa de exploração ativa está abaixo da média geral do catálogo KEV, com nenhuma entrada confirmada no momento, embora isso não elimine o risco operacional dado o alto volume de falhas críticas acumuladas. O tipo de falha mais frequente é CWE-79 (Cross-Site Scripting), padrão que exige atenção contínua em ambientes com múltiplos plugins e temas integrados. O CVE-2023-28121 merece prioridade imediata: seu score EPSS de 0,87 indica probabilidade muito elevada de exploração ativa nos próximos 30 dias, tornando-o o principal vetor de risco a ser tratado em qualquer plano de remediação.

CVEs

2057 resultados
CVE-2026-48873HIGHWordPress Montonio for WooCommerce plugin <= 10.1.2 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2026-52694HIGHWordPress Signature Add-On for WooCommerce plugin <= 2.0 - Sensitive Data Exposure vulnerabilityEPSS 0.2%CVE-2026-48883HIGHWordPress WPC Product Bundles for WooCommerce plugin <= 8.5.3 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-5238MEDIUMYITH WooCommerce Wishlist <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via id ParameterEPSS 0.2%CVE-2024-12204MEDIUMCoupon X: Discount Pop Up, Promo Code Pop Ups, Announcement Pop Up, WooCommerce Popups <= 1.3.5 - Missing AuthorizationEPSS 0.2%CVE-2025-48117MEDIUMWordPress WooCommerce POS plugin <= 1.7.8 - Broken Access Control VulnerabilityEPSS 0.2%CVE-2025-12783MEDIUMPremmerce Brands for WooCommerce <= 1.2.13 - Missing Authorization To Authenticated (Subscriber+) Brand Permalink Settings UpdateEPSS 0.2%CVE-2025-15484CRITICALOrder Notification for WooCommerce < 3.6.3 - Unauthenticated WooCommerce REST Permission BypassEPSS 0.2%CVE-2026-49065HIGHWordPress Hippoo Mobile App for WooCommerce plugin <= 1.9.5 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-68011HIGHWordPress GLS Shipping for WooCommerce plugin <= 1.4.0 - Cross Site Scripting (XSS) vulnerabilityEPSS 0.2%CVE-2025-69386HIGHWordPress RVCFDI para Woocommerce plugin <= 8.1.8 - Reflected Cross Site Scripting (XSS) vulnerabilityEPSS 0.2%CVE-2025-3775MEDIUMShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.2 - Unauthenticated Server-Side Request Forgery via URL ParameterEPSS 0.2%CVE-2026-54815CRITICALWordPress Cargo Shipping Location for WooCommerce plugin <= 5.6 - SQL Injection vulnerabilityEPSS 0.2%CVE-2026-49110HIGHWordPress Upsell Order Bump Offer for WooCommerce plugin <= 3.1.4 - Price Manipulation vulnerabilityEPSS 0.2%CVE-2025-24592HIGHWordPress SysBasics Customize My Account for WooCommerce plugin <= 2.8.22 - Reflected Cross Site Scripting (XSS) vulnerabilityEPSS 0.2%CVE-2025-39362MEDIUMWordPress Mollie Payments for WooCommerce plugin <= 8.0.2 - Insecure Direct Object References (IDOR) vulnerabilityEPSS 0.2%CVE-2025-2719MEDIUMSwatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) 1.2.8 - 1.4.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options UpdateEPSS 0.2%CVE-2025-14886MEDIUMJapanized for WooCommerce <= 2.7.17 - Missing Authorization to Unauthenticated Order Status ModificationEPSS 0.2%CVE-2025-12392MEDIUMCryptocurrency Payment Gateway for WooCommerce <= 2.0.25 - Missing Authorization to Unauthenticated Tracking Status UpdateEPSS 0.2%CVE-2025-14034MEDIUMilGhera Support System for WooCommerce <= 1.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket DeletionEPSS 0.2%

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →