WP Clinic
Log in Sign up

PLUGIN SECURITY

Is WooCommerce safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the WooCommerce WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: woocommerce
  • Requires PHP: 7.4+

Known vulnerabilities

  • WooCommerce [woocommerce] < 6.6.0 [CVE-2021-32790, WooCommerce < 5.5 - Authenticated Blind SQL Injection, Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection]
  • WooCommerce [woocommerce] < 5.2.0 [CVE-2021-24323, WooCommerce <= 5.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting, Woocommerce &lt; 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)]
  • WooCommerce [woocommerce] < 4.7.0 [CVE-2020-29156, WordPress WooCommerce plugin <= 4.6.2 - Sensitive Information Disclosure vulnerability, WooCommerce < 4.7.0 - Insecure Direct Object Reference via order_id Parameter, WooCommerce &lt; 4.7.0 - Arbitrary Order Status Disclosure via IDOR]
  • WooCommerce [woocommerce] < 3.2.4 [CVE-2017-18356, WooCommerce <= 3.2.3 - Authenticated PHP Object Injection, WooCommerce &lt;= 3.2.3 - Authenticated PHP Object Injection]
  • WooCommerce [woocommerce] < 3.4.6 [CVE-2018-20714, WooCommerce <= 3.4.5 - WooCommerce File Deletion, WooCommerce &lt;= 3.4.5 - Authenticated File Deletion to Privilege Escalation]
+ 92 more known vulnerabilities
  • WooCommerce [woocommerce] >= 2.3 - <= 2.3.5 [CVE-2015-2329, WooCommerce <= 2.3.5 - Stored Cross-Site Scripting, WooCommerce 2.3 - 2.3.5 - SQL Injection]
  • WooCommerce [woocommerce] < 4.0 [CVE-2017-17058]
  • WooCommerce [woocommerce] < 2.6.9 [CVE-2016-10112, WordPress WooCommerce Plugin <= 2.6.8 - Cross Site Scripting, WooCommerce <= 2.6.8 - Authenticated Stored Cross-Site Scripting, WooCommerce &lt;= 2.6.8 - Authenticated Tax-Rate CSV XSS]
  • WooCommerce [woocommerce] < 2.2.11 [CVE-2015-2069, WordPress WooCommerce Plugin <= 2.2.10 - XSS, WooCommerce <= 2.2.10 - Cross-Site Scripting, WooCommerce &lt;= 2.2.10 - Cross-Site Scripting (XSS)]
  • WooCommerce [woocommerce] < 2.2.3 [CVE-2014-6313, WordPress WooCommerce plugin <= 2.2.2 - Cross-Site Scripting (XSS) vulnerability, WooCommerce <= 2.2.2 - Cross-Site Scripting via range Parameter, WooCommerce &lt;= 2.2.2 - Reflected Cross-Site Scripting (XSS)]
  • WooCommerce [woocommerce] < 6.3.1 [WordPress WooCommerce plugin <= 6.3.0 - Orders Status Change (via PayPal Standard Gateway) vulnerability]
  • WooCommerce [woocommerce] < 6.2.1 [WordPress WooCommerce plugin <= 6.2.0 - Path Traversal via Importers vulnerability]
  • WooCommerce [woocommerce] < 6.2.1 [WordPress WooCommerce plugin <= 6.2.0 - Arbitrary Comment Deletion vulnerability]
  • WooCommerce [woocommerce] < 5.7.0 [WordPress WooCommerce plugin <= 5.6.0 - Analytics Report Leaks vulnerability]
  • WooCommerce [woocommerce] < 5.5.1 [WordPress WooCommerce plugin <= 5.5.0 - Unauthenticated SQL Injection (SQLi) vulnerability]
  • WooCommerce [woocommerce] < 5.2.0 [WordPress WooCommerce plugin <= 5.1.0 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability]
  • WooCommerce [woocommerce] < 4.6.2 [WordPress WooCommerce plugin <= 4.6.1 - Guest Account Creation vulnerability]
  • WooCommerce [woocommerce] < 3.6.5 [WordPress WooCommerce plugin <= 3.6.4 - Cross-Site Request Forgery (CSRF) vulnerability]
  • WooCommerce [woocommerce] < 3.5.5 [CVE-2019-9168, WordPress WooCommerce plugin <= 3.5.4 - Stored Cross-Site Scripting (XSS) vulnerability, WooCommerce <= 3.5.4 - Stored Cross-Site Scripting, WooCommerce &lt;= 3.5.4 - Stored Cross-Site Scripting (XSS)]
  • WooCommerce [woocommerce] < 3.5.1 [WordPress WooCommerce plugin <= 3.5.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability]
  • WooCommerce [woocommerce] < 3.4.6 [WordPress WooCommerce plugin <= 3.4.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability]
  • WooCommerce [woocommerce] < 3.4.6 [WordPress WooCommerce plugin <= 3.4.5 - Authenticated File Deletion to Privilege Escalation vulnerability]
  • WooCommerce [woocommerce] < 3.4.6 [WordPress WooCommerce plugin <= 3.4.5 - Authenticated Object Injection vulnerability]
  • WooCommerce [woocommerce] < 3.4.5 [WordPress WooCommerce plugin <= 3.4.4 - Potential Object Injection vulnerability]
  • WooCommerce [woocommerce] < 3.2.4 [WordPress WooCommerce plugin <=3.2.3 - Authenticated PHP Object Injection vulnerability]
  • WooCommerce [woocommerce] < 2.6.4 [WordPress WooCommerce Plugin <= 2.6.3 - Cross Site Scripting]
  • WooCommerce [woocommerce] < 2.6.3 [WordPress WooCommerce Plugin <= 2.6.2 - Cross Site Scripting]
  • WooCommerce [woocommerce] < 2.4.9 [WordPress WooCommerce Plugin <= 2.4.8 - Cross Site Scripting]
  • WooCommerce [woocommerce] < 2.3.11 [WordPress WooCommerce Plugin <= 2.3.10 - XXE]
  • WooCommerce [woocommerce] < 2.2.3 [WordPress WooCommerce Plugin <= 2.1.12 - Reflected XSS]
  • WooCommerce [woocommerce] < 2.0.18 [WordPress WooCommerce Plugin <= 2.0.17 - Reflected Cross Site Scripting]
  • WooCommerce [woocommerce] < 2.0.13 [WordPress WooCommerce Plugin <= 2.0.12 - Cross Site Scripting]
  • WooCommerce [woocommerce] < 2.3.6 [WordPress WooCommerce Plugin <= 2.3.5 - SQL Injection]
  • WooCommerce [woocommerce] < 6.6.0 [CVE-2022-2099, WordPress WooCommerce plugin <= 6.5.1 - Authenticated Stored HTML Injection vulnerability, WooCommerce <= 6.5.1 - Authenticated (Admin+) HTML Injection, WooCommerce &lt; 6.6.0 - Admin+ Stored HTML Injection]
  • WooCommerce [woocommerce] < 5.7.0 [WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Information Disclosure]
  • WooCommerce [woocommerce] < 6.3.1 [WooCommerce < 6.3.1 - Unauthorized Order Status Change]
  • WooCommerce [woocommerce] < 6.2.1 [WooCommerce <= 6.2.0 - Incorrect Authorization Checks on REST API Endpoints]
  • WooCommerce [woocommerce] < 6.2.1 [WooCommerce <= 6.2.0 - Path Traversal via Tax Importer]
  • WooCommerce [woocommerce] < 4.6.2 [WooCommerce <= 4.6.1 & WooCommerce Blocks <= 3.7.0 - Settings Bypass leading to Account Creation]
  • WooCommerce [woocommerce] < 4.2.1 [WooCommerce <= 4.2.0 - Reflected Cross-Site Scripting]
  • WooCommerce [woocommerce] < 4.1.0 [WooCommerce <= 4.0.4 - Unauthorized Post Meta Creation/Modification]
  • WooCommerce [woocommerce] < 3.6.5 [WooCommerce <= 3.6.4 - Missing File Type Validation]
  • WooCommerce [woocommerce] < 3.6.5 [WooCommerce <= 3.6.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting]
  • WooCommerce [woocommerce] < 3.5.2 [WooCommerce <= 3.5.1 - Authenticated Stored Cross-Site Scripting]
  • WooCommerce [woocommerce] < 3.4.5 [WooCommerce <= 3.4.4 - Authenticated PHP Object Injection]
  • WooCommerce [woocommerce] < 2.6.4 [WooCommerce <= 2.6.3 - Stored Cross-Site Scripting via REST-API]
  • WooCommerce [woocommerce] < 2.6.3 [WooCommerce <= 2.6.2 - Stored Cross-Site Scripting]
  • WooCommerce [woocommerce] < 2.4.9 [WooCommerce < 2.4.9 - Cross-site Scripting]
  • WooCommerce [woocommerce] >= 2.0.20 - <= 2.3.10 [WooCommerce <= 2.3.10 - PHP Object Injection]
  • WooCommerce [woocommerce] < 2.2.3 [WooCommerce <= 2.2.2 - Reflected Cross-Site Scripting]
  • WooCommerce [woocommerce] < 2.0.18 [WooCommerce <= 2.0.17 - Cross-Site Scripting]
  • WooCommerce [woocommerce] < 2.0.13 [WooCommerce <= 2.0.12 - Self-Reflected Cross-Site Scripting]
  • WooCommerce [woocommerce] < 2.2.3 [WooCommerce &lt;= 2.1.12 - Reflected Cross-Site Scripting (XSS)]
  • WooCommerce [woocommerce] < 2.0.13 [WooCommerce 2.0.12 - index.php calc_shipping_state Parameter XSS]
  • WooCommerce [woocommerce] < 2.0.17 [WooCommerce 2.0.17 - hide-wc-extensions-message Parameter Reflected XSS]
  • WooCommerce [woocommerce] < 6.2.1 [WooCommerce &lt; 6.3.1 - Orders Marked as Paid (via PayPal Standard Gateway)]
  • WooCommerce [woocommerce] < 5.7.0 [WooCommerce &lt; 6.2.1 - Path Traversal via Importers]
  • WooCommerce [woocommerce] < 6.2.1 [CVE-2022-0775, WooCommerce &lt; 6.2.1 - Subscriber+ Arbitrary Comment Deletion]
  • WooCommerce [woocommerce] < 5.7.0 [WooCommerce &lt; 5.7.0 &amp; WooCommerce Admin &lt; 2.6.4 - Analytics Report Leaks]
  • WooCommerce [woocommerce] < 4.6.2 [WooCommerce &lt; 4.6.2 - Guest Account Creation]
  • WooCommerce [woocommerce] < 4.2.1 [WooCommerce &lt; 4.2.1 - Potential Cross-Site Scripting (XSS) via SelectWoo]
  • WooCommerce [woocommerce] < 4.1.0 [WooCommerce &lt; 4.1.0 - Unescaped Metadata when Duplicating Products]
  • WooCommerce [woocommerce] < 3.6.5 [WooCommerce &lt;= 3.6.4 - Cross-Site Request Forgery (CSRF) &amp; File Type Check]
  • WooCommerce [woocommerce] < 3.5.1 [WooCommerce &lt;= 3.5.0 - Authenticated Stored XSS]
  • WooCommerce [woocommerce] < 3.4.6 [WooCommerce &lt;= 3.4.5 - Authenticated Phar Deserialization]
  • WooCommerce [woocommerce] < 3.4.6 [WooCommerce &lt;= 3.4.5 - Authenticated Stored XSS]
  • WooCommerce [woocommerce] < 3.4.6 [WooCommerce &lt;= 3.4.5 - Authenticated Object Injection]
  • WooCommerce [woocommerce] < 3.4.5 [WooCommerce &lt;= 3.4.4 - Potential Object Injection]
  • WooCommerce [woocommerce] < 2.6.4 [WooCommerce &lt;= 2.6.3 - Stored Cross Site Scripting (XSS) via REST API]
  • WooCommerce [woocommerce] < 2.4.9 [WooCommerce &lt;= 2.4.8 - Authenticated Cross-Site Scripting (XSS)]
  • WooCommerce [woocommerce] < 2.3.11 [WooCommerce 2.0.20-2.3.10 - Object Injection / XXE]
  • WooCommerce [woocommerce] < 2.6.3 [WooCommerce &lt;= 2.6.2 - Authenticated Cross-Site Scripting (XSS)]
  • WooCommerce [woocommerce] < 7.0.1 [WooCommerce <= 7.0.0 - Authenticated(Shop Manager+) Sensitive Information Exposure]
  • WooCommerce [woocommerce] < 7.9.0 [WooCommerce <= 7.8.2 - Sensitive Information Exposure]
  • WooCommerce [woocommerce] < 7.0.1 [WooCommerce &lt; 7.0.1 - Shop Manager+ User Metadata Disclosure]
  • WooCommerce [woocommerce] < 7.9 [WooCommerce &lt; 7.9 - Unauthenticated Sensitive Information Disclosure]
  • WooCommerce [woocommerce] < 8.2.0 [CVE-2023-47777, WordPress WooCommerce Plugin <= 8.1.1 is vulnerable to Cross Site Scripting (XSS), WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute, WooCommerce &lt;= 8.1.1 &amp; WooCommerce Blocks &lt;= 11.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute]
  • WooCommerce [woocommerce] < 7.0.1 [WooCommerce &lt; 7.0.1 - Authenticated(Shop Manager+) Sensitive Information Exposure]
  • WooCommerce [woocommerce] < 7.9.0 [WooCommerce &lt; 7.9.0 - Sensitive Information Exposure]
  • WooCommerce [woocommerce] < 8.3.0 [CVE-2023-52222, WordPress WooCommerce Plugin <= 8.2.2 is vulnerable to Cross Site Request Forgery (CSRF), WooCommerce <= 8.2.2 - Cross-Site Request Forgery, WooCommerce &lt; 8.3.0 - Cross-Site Request Forgery]
  • WooCommerce [woocommerce] < 8.4.0 [WooCommerce < 8.4.0 - Reflected Cross-Site Scripting]
  • WooCommerce [woocommerce] < 8.6.0 [CVE-2024-22155, WordPress WooCommerce Plugin <= 8.5.2 is vulnerable to Cross Site Request Forgery (CSRF), WooCommerce <= 8.5.2 - Cross-Site Request Forgery]
  • WooCommerce [woocommerce] < 8.4.0 [WordPress WooCommerce Plugin <= 8.3.0 is vulnerable to Cross Site Scripting (XSS)]
  • WooCommerce [woocommerce] < 8.6 [CVE-2024-1310, WordPress WooCommerce Plugin < 8.6 is vulnerable to Broken Access Control, WooCommerce <= 8.5.2 - Missing Authorization to Private/Draft Product Disclosure, WooCommerce &lt; 8.6 - Contributor+ Private/Draft Products Access]
  • WooCommerce [woocommerce] < 8.9.3 [WordPress WooCommerce Plugin <= 8.9.2 is vulnerable to Cross Site Scripting (XSS)]
  • WooCommerce [woocommerce] < 8.9.3 [CVE-2024-37297, WooCommerce 8.8.0 - 8.9.2 - Reflected Cross-Site Scripting via Order Attribution]
  • WooCommerce [woocommerce] < 9.0.0 [CVE-2024-35777, WordPress WooCommerce Plugin <= 8.9.2 is vulnerable to Content Injection, WooCommerce <= 8.9.2 - Authenticated (Shop Manager+) Content Injection]
  • WooCommerce [woocommerce] < 8.4.0 [WooCommerce &lt; 8.4.0 - Reflected Cross-Site Scripting]
  • WooCommerce [woocommerce] < 9.1.3 [CVE-2024-39666, WordPress WooCommerce Plugin <= 9.1.2 is vulnerable to Cross Site Scripting (XSS), WooCommerce <= 9.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting]
  • WooCommerce [woocommerce] < 9.1.0 [CVE-2024-9944, WordPress WooCommerce Plugin <= 9.0.2 is vulnerable to Content Injection, WooCommerce <= 9.0.2 - Unauthenticated HTML Injection]
  • WooCommerce [woocommerce] < 9.4.3 [WordPress WooCommerce Plugin < 9.4.3 is vulnerable to Broken Access Control]
  • WooCommerce [woocommerce] < 9.7.1 [CVE-2025-26762, WooCommerce <= 9.7.0 - Authenticated (Shop Manager+) Stored Cross-Site Scripting, EUVD-2025-14846]
  • WooCommerce [woocommerce] < 9.3.4 [WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting, WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting, EUVD-2025-16105]
  • WooCommerce [woocommerce] < 10.0.3 [CVE-2025-49042, WooCommerce <= 10.0.2 - Authenticated (Shop manager+) Stored Cross-Site Scripting]
  • WooCommerce [woocommerce] < 10.4.3 [CVE-2025-15033, WooCommerce <= 10.4.2 - Authenticated (Subscriber+) Information Exposure]
  • WooCommerce [woocommerce] < 10.5.3 [CVE-2026-3589, WooCommerce < 10.5.3 - Cross-Site Request Forgery]
  • WooCommerce [woocommerce] == 7.1.0 (unfixed) [CVE-2022-50972, EUVD-2022-56008]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.