Everything you need to launch an online store in days and keep it growing for years. From your first sale to millions in revenue, Woo is with you.
WooCommerce är WordPress mest populära e-handelslösning som gör det möjligt att skapa och driva webbutiker direkt från din WordPress-sajt. Med över 7 miljoner aktiva installationer är det det självklara valet för många företag som vill sälja produkter online.
WooCommerce har totalt 48 dokumenterade sårbarheter, vilket kan låta mycket men ska ses i relation till tilläggets enorma popularitet och långa utvecklingshistoria. Fördelningen visar 33 medium-risk sårbarheter, 10 high-risk och 4 critical-risk sårbarheter, samt 1 low-risk.
Den senaste kända sårbarheten rapporterades i september 2021, vilket tyder på att utvecklarna aktivt arbetar med säkerhetsförbättringar. De flesta sårbarheter i kategorin "medium" utgör begränsad risk för välskötta sajter, medan high- och critical-sårbarheter kräver omedelbar uppmärksamhet när de upptäcks.
Regelbundna uppdateringar är det absolut viktigaste skyddet mot säkerhetshot – både för WooCommerce och alla andra tillägg på din sajt.
Kör ett gratis test och se om din hemsida är påverkad av dessa sårbarheter.
Påverkade versioner: <= 10.0.4
Påverkade versioner: <= 10.0.2
Påverkade versioner: <= 9.3.2
Påverkade versioner: <= 9.7.0
Påverkade versioner: < 3.3.1.0
The fetch_product_ajax functionality in the Product Feed on WooCommerce WordPress plugin before 3.3.1.0 uses a `product_id` POST parameter which is not properly sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injec...
Påverkade versioner: <= 2.1.1
The Integration of Moneybird for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the error_description parameter found in the ~/templates/wcmb-admin.php file which allows attackers to inject arbitrary web scripts, in...
Påverkade versioner: <= 2.0.10
The WooCommerce Payment Gateway Per Category WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/includes/plugin_settings.php file which allows attackers to inject arbitrary web scri...
Påverkade versioner: <= 5.4.3
Versions up to, and including, 5.4.3, of the Booster for WooCommerce WordPress plugin are vulnerable to authentication bypass via the process_email_verification function due to a random token generation weakness in the reset_and_mail_activation_link...
Påverkade versioner: <= 3.5
The Moova for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the lat parameter in the ~/Checkout/Checkout.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 3.5.
Påverkade versioner: < 3.3.6
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to...
Påverkade versioner: <= 2.5.7
The WooCommerce Stock Manager WordPress plugin is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Upload in versions up to, and including, 2.5.7 due to missing nonce and file validation in the /woocommerce-stock-manager/trunk/admin...
Påverkade versioner: < 1.13.22
The slider import search feature of the PickPlugins Product Slider for WooCommerce WordPress plugin before 1.13.22 did not properly sanitised the keyword GET parameter, leading to reflected Cross-Site Scripting issue
Påverkade versioner: < 1.5.2
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the WooCommerce Conditional Marketing Mailer WordPress plugin before 1.5.2, to install any plugin (including a specific version) from the WordPress repository,...
Påverkade versioner: < 2.9.1
The WooCommerce Help Scout WordPress plugin before 2.9.1 (https://woocommerce.com/products/woocommerce-help-scout/) allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp.
Påverkade versioner: < 59.4
The WooCommerce Upload Files WordPress plugin before 59.4 ran a single sanitization pass to remove blocked extensions such as .php. It was possible to bypass this and upload a file with a PHP extension by embedding a "blocked" extension within anothe...
Påverkade versioner: < 3.1.8
This Advanced Order Export For WooCommerce WordPress plugin before 3.1.8 helps you to easily export WooCommerce order data. The tab parameter in the Admin Panel is vulnerable to reflected XSS.
Påverkade versioner: < 3.3.1
An arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium plugin before 3.3.1 for WordPress allows remote attackers to achieve remote code execution on the operating system in the security context of the web server. In order t...
Påverkade versioner: < 4.7.0
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action.
Påverkade versioner: all
An issue was discovered in the NAB Transact extension 2.1.0 for the WooCommerce plugin for WordPress. An online payment system bypass allows orders to be marked as fully paid by assigning an arbitrary bank transaction ID during the payment-details en...
Påverkade versioner: < 2.6.3
Persistent XSS in the WooCommerce Subscriptions plugin before 2.6.3 for WordPress allows remote attackers to execute arbitrary JavaScript because Billing Details are mishandled in WCS_Admin_Post_Types in class-wcs-admin-post-types.php.
Påverkade versioner: all
A cross-site scripting (XSS) vulnerability in the AlgolPlus Advanced Order Export For WooCommerce plugin 3.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the view/settings-form.php woe_post_type parameter.
Påverkade versioner: <= 2.7.1
Cross-site scripting (XSS) vulnerability in test-plugin.php in the Swipe Checkout for WooCommerce plugin 2.7.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the api_url parameter.
Påverkade versioner: all
cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.17 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOT...
Påverkade versioner: all
/payu/icpcheckout/ in the WooCommerce PayU India Payment Gateway plugin 2.1.1 for WordPress allows Parameter Tampering in the purchaseQuantity=1 parameter, as demonstrated by purchasing an item for lower than the intended price.
Påverkade versioner: < 3.1.0
The woocommerce-catalog-enquiry plugin before 3.1.0 for WordPress has an incorrect wp_upload directory for file uploads.
Påverkade versioner: < 1.8.4
The woocommerce-exporter plugin before 1.8.4 for WordPress has privilege escalation.
Påverkade versioner: <= 1.3.1
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporte...
Påverkade versioner: < 1.5.8
The woocommerce-store-toolkit plugin before 1.5.8 for WordPress has privilege escalation.
Påverkade versioner: < 1.5.7
The woocommerce-store-toolkit plugin before 1.5.7 for WordPress has privilege escalation.
Påverkade versioner: < 3.8.0
The woocommerce-jetpack plugin before 3.8.0 for WordPress has XSS in the Products Per Page feature.
Påverkade versioner: < 18.4
The woocommerce-product-addon plugin before 18.4 for WordPress has XSS via an import of a new meta data structure.
Påverkade versioner: < 2.0.13
The woocommerce-pdf-invoices-packing-slips plugin before 2.0.13 for WordPress has XSS via the tab or section variable on settings screens.
Påverkade versioner: all
The mq-woocommerce-products-price-bulk-edit (aka Woocommerce Products Price Bulk Edit) plugin 2.0 for WordPress allows XSS via the wp-admin/admin-ajax.php?action=update_options show_products_page_limit parameter.
Påverkade versioner: <= 2.2.18
WebAppick WooCommerce Product Feed 2.2.18 and earlier is affected by: Cross Site Scripting (XSS). The impact is: XSS to RCE via editing theme files in WordPress. The component is: admin/partials/woo-feed-manage-list.php:63. The attack vector is: Admi...
Påverkade versioner: < 4.3
The WooCommerce Checkout Manager plugin before 4.3 for WordPress allows media deletion via the wp-admin/admin-ajax.php?action=update_attachment_wccm wccm_default_keys_load parameter because of a nopriv_ registration and a lack of capabilities checks.
Påverkade versioner: all
cgi-bin/webscr?cmd=_cart in the WooCommerce PayPal Checkout Payment Gateway plugin 1.6.8 for WordPress allows Parameter Tampering in an amount parameter (such as amount_1), as demonstrated by purchasing an item for lower than the intended price. NOTE...
Påverkade versioner: < 3.4.6
The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a sh...
Påverkade versioner: < 3.2.4
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string t...
Påverkade versioner: <= 1.5.4
The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.
Påverkade versioner: <= 1.0.9
An issue was discovered in the MULTIDOTS Advance Search for WooCommerce plugin 1.0.9 and earlier for WordPress. This plugin is vulnerable to a stored Cross-site scripting (XSS) vulnerability. A non-authenticated user can save the plugin settings and...
Påverkade versioner: <= 1.0.6
The MULTIDOTS WooCommerce Quick Reports plugin 1.0.6 and earlier for WordPress is vulnerable to Stored XSS. It allows an attacker to inject malicious JavaScript code on the WooCommerce -> Orders admin page. The attack is possible by modifying the "re...
Påverkade versioner: all
class-woo-banner-management.php in the MULTIDOTS WooCommerce Category Banner Management plugin 1.1.0 for WordPress has an Unauthenticated Settings Change Vulnerability, related to certain wp_ajax_nopriv_ usage. Anyone can change the plugin's setting...
Påverkade versioner: < 2.2.0
A local file inclusion issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The vulnerability is due to the lack of args/input v...
Påverkade versioner: < 2.2.0
A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function...
Påverkade versioner: < 2.3.6
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order.
Påverkade versioner: < 1.0.9
The "SagePay Server Gateway for WooCommerce" plugin before 1.0.9 for WordPress has XSS via the includes/pages/redirect.php page parameter.
Påverkade versioner: <= 3.2.6
The WooCommerce plugin through 3.x for WordPress has a Directory Traversal Vulnerability via a /wp-content/plugins/woocommerce/templates/emails/plain/ URI, which accesses a parent directory. NOTE: a software maintainer indicates that Directory Traver...
Påverkade versioner: <= 2.6.8
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format.
Påverkade versioner: < 1.4
Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read arbitrary files via a full pathname in the requrl...
Påverkade versioner: <= 2.2.10
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.2.11 for WordPress allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING in the wc-reports page to wp-admin/admin.php.
Påverkade versioner: <= 2.2.2
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the range parameter on the wc-reports page to wp-admin/admin.php.
Påverkade versioner: <= 0.1.6.6
Multiple cross-site scripting (XSS) vulnerabilities in pages/3DComplete.php in the WooCommerce SagePay Direct Payment Gateway plugin before 0.1.6.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) MD or (2) PARe...
Sårbarheter i tillägg är den vanligaste attackytan för WordPress-sajter. Det bästa skyddet är att vara proaktiv — här är tre konkreta steg.
De flesta sårbarheter i WooCommerce åtgärdas snabbt av utvecklarna. Uppdatera alltid till senaste versionen.
Varje tillägg är en potentiell attackyta. Avinstallera det du inte aktivt använder.
Med löpande övervakning upptäcker du problem innan de blir allvarliga.
Vill du slippa hålla koll själv? Med ett supportavtal från Sitesupport sköter vi uppdateringar och säkerhet åt dig.
Kör ett gratis test och se hur din sajt presterar inom SEO, säkerhet, prestanda och tillgänglighet — på under en minut.
Testa gratisInget konto krävs