PLUGIN SECURITY
Is WooCommerce safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the WooCommerce WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
woocommerce - Requires PHP: 7.4+
Known vulnerabilities
- WooCommerce [woocommerce] < 6.6.0 [CVE-2021-32790, WooCommerce < 5.5 - Authenticated Blind SQL Injection, Woocommerce 3.3 to 5.5 - Authenticated Blind SQL Injection]
- WooCommerce [woocommerce] < 5.2.0 [CVE-2021-24323, WooCommerce <= 5.1.3 - Authenticated (Admin+) Stored Cross-Site Scripting, Woocommerce < 5.2.0 - Authenticated Stored Cross-Site Scripting (XSS)]
- WooCommerce [woocommerce] < 4.7.0 [CVE-2020-29156, WordPress WooCommerce plugin <= 4.6.2 - Sensitive Information Disclosure vulnerability, WooCommerce < 4.7.0 - Insecure Direct Object Reference via order_id Parameter, WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR]
- WooCommerce [woocommerce] < 3.2.4 [CVE-2017-18356, WooCommerce <= 3.2.3 - Authenticated PHP Object Injection, WooCommerce <= 3.2.3 - Authenticated PHP Object Injection]
- WooCommerce [woocommerce] < 3.4.6 [CVE-2018-20714, WooCommerce <= 3.4.5 - WooCommerce File Deletion, WooCommerce <= 3.4.5 - Authenticated File Deletion to Privilege Escalation]
+ 92 more known vulnerabilities
- WooCommerce [woocommerce] >= 2.3 - <= 2.3.5 [CVE-2015-2329, WooCommerce <= 2.3.5 - Stored Cross-Site Scripting, WooCommerce 2.3 - 2.3.5 - SQL Injection]
- WooCommerce [woocommerce] < 4.0 [CVE-2017-17058]
- WooCommerce [woocommerce] < 2.6.9 [CVE-2016-10112, WordPress WooCommerce Plugin <= 2.6.8 - Cross Site Scripting, WooCommerce <= 2.6.8 - Authenticated Stored Cross-Site Scripting, WooCommerce <= 2.6.8 - Authenticated Tax-Rate CSV XSS]
- WooCommerce [woocommerce] < 2.2.11 [CVE-2015-2069, WordPress WooCommerce Plugin <= 2.2.10 - XSS, WooCommerce <= 2.2.10 - Cross-Site Scripting, WooCommerce <= 2.2.10 - Cross-Site Scripting (XSS)]
- WooCommerce [woocommerce] < 2.2.3 [CVE-2014-6313, WordPress WooCommerce plugin <= 2.2.2 - Cross-Site Scripting (XSS) vulnerability, WooCommerce <= 2.2.2 - Cross-Site Scripting via range Parameter, WooCommerce <= 2.2.2 - Reflected Cross-Site Scripting (XSS)]
- WooCommerce [woocommerce] < 6.3.1 [WordPress WooCommerce plugin <= 6.3.0 - Orders Status Change (via PayPal Standard Gateway) vulnerability]
- WooCommerce [woocommerce] < 6.2.1 [WordPress WooCommerce plugin <= 6.2.0 - Path Traversal via Importers vulnerability]
- WooCommerce [woocommerce] < 6.2.1 [WordPress WooCommerce plugin <= 6.2.0 - Arbitrary Comment Deletion vulnerability]
- WooCommerce [woocommerce] < 5.7.0 [WordPress WooCommerce plugin <= 5.6.0 - Analytics Report Leaks vulnerability]
- WooCommerce [woocommerce] < 5.5.1 [WordPress WooCommerce plugin <= 5.5.0 - Unauthenticated SQL Injection (SQLi) vulnerability]
- WooCommerce [woocommerce] < 5.2.0 [WordPress WooCommerce plugin <= 5.1.0 - Authenticated Persistent Cross-Site Scripting (XSS) vulnerability]
- WooCommerce [woocommerce] < 4.6.2 [WordPress WooCommerce plugin <= 4.6.1 - Guest Account Creation vulnerability]
- WooCommerce [woocommerce] < 3.6.5 [WordPress WooCommerce plugin <= 3.6.4 - Cross-Site Request Forgery (CSRF) vulnerability]
- WooCommerce [woocommerce] < 3.5.5 [CVE-2019-9168, WordPress WooCommerce plugin <= 3.5.4 - Stored Cross-Site Scripting (XSS) vulnerability, WooCommerce <= 3.5.4 - Stored Cross-Site Scripting, WooCommerce <= 3.5.4 - Stored Cross-Site Scripting (XSS)]
- WooCommerce [woocommerce] < 3.5.1 [WordPress WooCommerce plugin <= 3.5.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability]
- WooCommerce [woocommerce] < 3.4.6 [WordPress WooCommerce plugin <= 3.4.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability]
- WooCommerce [woocommerce] < 3.4.6 [WordPress WooCommerce plugin <= 3.4.5 - Authenticated File Deletion to Privilege Escalation vulnerability]
- WooCommerce [woocommerce] < 3.4.6 [WordPress WooCommerce plugin <= 3.4.5 - Authenticated Object Injection vulnerability]
- WooCommerce [woocommerce] < 3.4.5 [WordPress WooCommerce plugin <= 3.4.4 - Potential Object Injection vulnerability]
- WooCommerce [woocommerce] < 3.2.4 [WordPress WooCommerce plugin <=3.2.3 - Authenticated PHP Object Injection vulnerability]
- WooCommerce [woocommerce] < 2.6.4 [WordPress WooCommerce Plugin <= 2.6.3 - Cross Site Scripting]
- WooCommerce [woocommerce] < 2.6.3 [WordPress WooCommerce Plugin <= 2.6.2 - Cross Site Scripting]
- WooCommerce [woocommerce] < 2.4.9 [WordPress WooCommerce Plugin <= 2.4.8 - Cross Site Scripting]
- WooCommerce [woocommerce] < 2.3.11 [WordPress WooCommerce Plugin <= 2.3.10 - XXE]
- WooCommerce [woocommerce] < 2.2.3 [WordPress WooCommerce Plugin <= 2.1.12 - Reflected XSS]
- WooCommerce [woocommerce] < 2.0.18 [WordPress WooCommerce Plugin <= 2.0.17 - Reflected Cross Site Scripting]
- WooCommerce [woocommerce] < 2.0.13 [WordPress WooCommerce Plugin <= 2.0.12 - Cross Site Scripting]
- WooCommerce [woocommerce] < 2.3.6 [WordPress WooCommerce Plugin <= 2.3.5 - SQL Injection]
- WooCommerce [woocommerce] < 6.6.0 [CVE-2022-2099, WordPress WooCommerce plugin <= 6.5.1 - Authenticated Stored HTML Injection vulnerability, WooCommerce <= 6.5.1 - Authenticated (Admin+) HTML Injection, WooCommerce < 6.6.0 - Admin+ Stored HTML Injection]
- WooCommerce [woocommerce] < 5.7.0 [WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Information Disclosure]
- WooCommerce [woocommerce] < 6.3.1 [WooCommerce < 6.3.1 - Unauthorized Order Status Change]
- WooCommerce [woocommerce] < 6.2.1 [WooCommerce <= 6.2.0 - Incorrect Authorization Checks on REST API Endpoints]
- WooCommerce [woocommerce] < 6.2.1 [WooCommerce <= 6.2.0 - Path Traversal via Tax Importer]
- WooCommerce [woocommerce] < 4.6.2 [WooCommerce <= 4.6.1 & WooCommerce Blocks <= 3.7.0 - Settings Bypass leading to Account Creation]
- WooCommerce [woocommerce] < 4.2.1 [WooCommerce <= 4.2.0 - Reflected Cross-Site Scripting]
- WooCommerce [woocommerce] < 4.1.0 [WooCommerce <= 4.0.4 - Unauthorized Post Meta Creation/Modification]
- WooCommerce [woocommerce] < 3.6.5 [WooCommerce <= 3.6.4 - Missing File Type Validation]
- WooCommerce [woocommerce] < 3.6.5 [WooCommerce <= 3.6.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting]
- WooCommerce [woocommerce] < 3.5.2 [WooCommerce <= 3.5.1 - Authenticated Stored Cross-Site Scripting]
- WooCommerce [woocommerce] < 3.4.5 [WooCommerce <= 3.4.4 - Authenticated PHP Object Injection]
- WooCommerce [woocommerce] < 2.6.4 [WooCommerce <= 2.6.3 - Stored Cross-Site Scripting via REST-API]
- WooCommerce [woocommerce] < 2.6.3 [WooCommerce <= 2.6.2 - Stored Cross-Site Scripting]
- WooCommerce [woocommerce] < 2.4.9 [WooCommerce < 2.4.9 - Cross-site Scripting]
- WooCommerce [woocommerce] >= 2.0.20 - <= 2.3.10 [WooCommerce <= 2.3.10 - PHP Object Injection]
- WooCommerce [woocommerce] < 2.2.3 [WooCommerce <= 2.2.2 - Reflected Cross-Site Scripting]
- WooCommerce [woocommerce] < 2.0.18 [WooCommerce <= 2.0.17 - Cross-Site Scripting]
- WooCommerce [woocommerce] < 2.0.13 [WooCommerce <= 2.0.12 - Self-Reflected Cross-Site Scripting]
- WooCommerce [woocommerce] < 2.2.3 [WooCommerce <= 2.1.12 - Reflected Cross-Site Scripting (XSS)]
- WooCommerce [woocommerce] < 2.0.13 [WooCommerce 2.0.12 - index.php calc_shipping_state Parameter XSS]
- WooCommerce [woocommerce] < 2.0.17 [WooCommerce 2.0.17 - hide-wc-extensions-message Parameter Reflected XSS]
- WooCommerce [woocommerce] < 6.2.1 [WooCommerce < 6.3.1 - Orders Marked as Paid (via PayPal Standard Gateway)]
- WooCommerce [woocommerce] < 5.7.0 [WooCommerce < 6.2.1 - Path Traversal via Importers]
- WooCommerce [woocommerce] < 6.2.1 [CVE-2022-0775, WooCommerce < 6.2.1 - Subscriber+ Arbitrary Comment Deletion]
- WooCommerce [woocommerce] < 5.7.0 [WooCommerce < 5.7.0 & WooCommerce Admin < 2.6.4 - Analytics Report Leaks]
- WooCommerce [woocommerce] < 4.6.2 [WooCommerce < 4.6.2 - Guest Account Creation]
- WooCommerce [woocommerce] < 4.2.1 [WooCommerce < 4.2.1 - Potential Cross-Site Scripting (XSS) via SelectWoo]
- WooCommerce [woocommerce] < 4.1.0 [WooCommerce < 4.1.0 - Unescaped Metadata when Duplicating Products]
- WooCommerce [woocommerce] < 3.6.5 [WooCommerce <= 3.6.4 - Cross-Site Request Forgery (CSRF) & File Type Check]
- WooCommerce [woocommerce] < 3.5.1 [WooCommerce <= 3.5.0 - Authenticated Stored XSS]
- WooCommerce [woocommerce] < 3.4.6 [WooCommerce <= 3.4.5 - Authenticated Phar Deserialization]
- WooCommerce [woocommerce] < 3.4.6 [WooCommerce <= 3.4.5 - Authenticated Stored XSS]
- WooCommerce [woocommerce] < 3.4.6 [WooCommerce <= 3.4.5 - Authenticated Object Injection]
- WooCommerce [woocommerce] < 3.4.5 [WooCommerce <= 3.4.4 - Potential Object Injection]
- WooCommerce [woocommerce] < 2.6.4 [WooCommerce <= 2.6.3 - Stored Cross Site Scripting (XSS) via REST API]
- WooCommerce [woocommerce] < 2.4.9 [WooCommerce <= 2.4.8 - Authenticated Cross-Site Scripting (XSS)]
- WooCommerce [woocommerce] < 2.3.11 [WooCommerce 2.0.20-2.3.10 - Object Injection / XXE]
- WooCommerce [woocommerce] < 2.6.3 [WooCommerce <= 2.6.2 - Authenticated Cross-Site Scripting (XSS)]
- WooCommerce [woocommerce] < 7.0.1 [WooCommerce <= 7.0.0 - Authenticated(Shop Manager+) Sensitive Information Exposure]
- WooCommerce [woocommerce] < 7.9.0 [WooCommerce <= 7.8.2 - Sensitive Information Exposure]
- WooCommerce [woocommerce] < 7.0.1 [WooCommerce < 7.0.1 - Shop Manager+ User Metadata Disclosure]
- WooCommerce [woocommerce] < 7.9 [WooCommerce < 7.9 - Unauthenticated Sensitive Information Disclosure]
- WooCommerce [woocommerce] < 8.2.0 [CVE-2023-47777, WordPress WooCommerce Plugin <= 8.1.1 is vulnerable to Cross Site Scripting (XSS), WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute, WooCommerce <= 8.1.1 & WooCommerce Blocks <= 11.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Featured Image alt Attribute]
- WooCommerce [woocommerce] < 7.0.1 [WooCommerce < 7.0.1 - Authenticated(Shop Manager+) Sensitive Information Exposure]
- WooCommerce [woocommerce] < 7.9.0 [WooCommerce < 7.9.0 - Sensitive Information Exposure]
- WooCommerce [woocommerce] < 8.3.0 [CVE-2023-52222, WordPress WooCommerce Plugin <= 8.2.2 is vulnerable to Cross Site Request Forgery (CSRF), WooCommerce <= 8.2.2 - Cross-Site Request Forgery, WooCommerce < 8.3.0 - Cross-Site Request Forgery]
- WooCommerce [woocommerce] < 8.4.0 [WooCommerce < 8.4.0 - Reflected Cross-Site Scripting]
- WooCommerce [woocommerce] < 8.6.0 [CVE-2024-22155, WordPress WooCommerce Plugin <= 8.5.2 is vulnerable to Cross Site Request Forgery (CSRF), WooCommerce <= 8.5.2 - Cross-Site Request Forgery]
- WooCommerce [woocommerce] < 8.4.0 [WordPress WooCommerce Plugin <= 8.3.0 is vulnerable to Cross Site Scripting (XSS)]
- WooCommerce [woocommerce] < 8.6 [CVE-2024-1310, WordPress WooCommerce Plugin < 8.6 is vulnerable to Broken Access Control, WooCommerce <= 8.5.2 - Missing Authorization to Private/Draft Product Disclosure, WooCommerce < 8.6 - Contributor+ Private/Draft Products Access]
- WooCommerce [woocommerce] < 8.9.3 [WordPress WooCommerce Plugin <= 8.9.2 is vulnerable to Cross Site Scripting (XSS)]
- WooCommerce [woocommerce] < 8.9.3 [CVE-2024-37297, WooCommerce 8.8.0 - 8.9.2 - Reflected Cross-Site Scripting via Order Attribution]
- WooCommerce [woocommerce] < 9.0.0 [CVE-2024-35777, WordPress WooCommerce Plugin <= 8.9.2 is vulnerable to Content Injection, WooCommerce <= 8.9.2 - Authenticated (Shop Manager+) Content Injection]
- WooCommerce [woocommerce] < 8.4.0 [WooCommerce < 8.4.0 - Reflected Cross-Site Scripting]
- WooCommerce [woocommerce] < 9.1.3 [CVE-2024-39666, WordPress WooCommerce Plugin <= 9.1.2 is vulnerable to Cross Site Scripting (XSS), WooCommerce <= 9.1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting]
- WooCommerce [woocommerce] < 9.1.0 [CVE-2024-9944, WordPress WooCommerce Plugin <= 9.0.2 is vulnerable to Content Injection, WooCommerce <= 9.0.2 - Unauthenticated HTML Injection]
- WooCommerce [woocommerce] < 9.4.3 [WordPress WooCommerce Plugin < 9.4.3 is vulnerable to Broken Access Control]
- WooCommerce [woocommerce] < 9.7.1 [CVE-2025-26762, WooCommerce <= 9.7.0 - Authenticated (Shop Manager+) Stored Cross-Site Scripting, EUVD-2025-14846]
- WooCommerce [woocommerce] < 9.3.4 [WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting, WooCommerce <= 9.4.2 - PostMessage-Based Cross-Site Scripting, EUVD-2025-16105]
- WooCommerce [woocommerce] < 10.0.3 [CVE-2025-49042, WooCommerce <= 10.0.2 - Authenticated (Shop manager+) Stored Cross-Site Scripting]
- WooCommerce [woocommerce] < 10.4.3 [CVE-2025-15033, WooCommerce <= 10.4.2 - Authenticated (Subscriber+) Information Exposure]
- WooCommerce [woocommerce] < 10.5.3 [CVE-2026-3589, WooCommerce < 10.5.3 - Cross-Site Request Forgery]
- WooCommerce [woocommerce] == 7.1.0 (unfixed) [CVE-2022-50972, EUVD-2022-56008]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation — 1000000+ active installs — max PHP 8.4
- WooCommerce PayPal Payments — 800000+ active installs — max PHP 8.4
- Mailchimp for WooCommerce — 200000+ active installs — max PHP 8.4
- WPML Multilingual & Multicurrency for WooCommerce — 100000+ active installs
- Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress — 100000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.