Skip to content
Threat Feed
Subscribe

Tag

Woocommerce

8 briefs RSS
high advisory

WooCommerce Infinite Scroll Plugin Vulnerable to PHP Object Injection (CVE-2025-11993)

The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection (CVE-2025-11993) due to deserialization of untrusted data in the 'import_settings' function, potentially leading to arbitrary code execution if a suitable POP chain is present.

WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 php-object-injection wordpress woocommerce cve-2025-11993
2r 1t 1c
high advisory

WooCommerce PayPal Payments Plugin Vulnerable to Order Manipulation and Information Disclosure (CVE-2026-9284)

The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on WC-AJAX endpoints, allowing attackers to manipulate order payment flows and exfiltrate sensitive order details (CVE-2026-9284).

WooCommerce PayPal Payments plugin <= 4.0.1 woocommerce wordpress paypal authorization-bypass information-disclosure
2r 1t 1c
high threat

Funnel Builder for WooCommerce Checkout Missing Authorization Vulnerability (CVE-2026-47100)

Funnel Builder for WooCommerce Checkout versions prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and inject malicious JavaScript, impacting checkout page visitors.

Funnel Builder for WooCommerce Checkout < 3.15.0.3 cve woocommerce wordpress missing-authorization javascript-injection
2r 1c
medium advisory

CVE-2026-4094: FOX – Currency Switcher Professional for WooCommerce Plugin Vulnerability

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss (CVE-2026-4094) due to a missing capability check, allowing authenticated attackers with Contributor-level access or higher to delete the multi-currency configuration.

FOX – Currency Switcher Professional for WooCommerce plugin <= 1.4.5 wordpress woocommerce plugin csrf data-loss cve-2026-4094
2r 1t 1c
high advisory

WordPress WCFM Plugin Vulnerable to IDOR Leading to Account Deletion

The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.

WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin <= 6.7.25 idor wordpress woocommerce account-deletion
2r 1t 1c
high advisory

WooCommerce Ajax Product Filter Plugin Vulnerable to SQL Injection (CVE-2026-3396)

The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.

woocommerce sqli cve-2026-3396 wordpress plugin
2r 1t 1c
high advisory

Product Feed PRO for WooCommerce Plugin CSRF Vulnerability (CVE-2026-3499)

The Product Feed PRO for WooCommerce WordPress plugin (versions 13.4.6-13.5.2.1) is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing unauthenticated attackers to perform administrative actions by tricking an administrator into clicking a malicious link.

wordpress woocommerce csrf cve-2026-3499
3r 1t 1c
critical advisory

ReviewX WordPress Plugin Arbitrary Method Call Vulnerability

The ReviewX WordPress plugin is vulnerable to arbitrary method calls, allowing unauthenticated attackers to potentially achieve remote code execution.

wordpress woocommerce reviewx rce vulnerability
2r 1t