E-commerce

In WooCommerce version 7.1.0 a critical severity vulnerability CVE-2022-50972 was detected. This vulnerability allows an attacker to execute arbitrary PHP code and write malicious PHP files directly to the web root. This occurs due to improper sanitization of the product-type parameter within the class-wc-meta-box-product-images.php endpoint, which permits the injection of shell commands. To address this issue, users should upgrade WooCommerce to a patched version 7.1.1 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2022-50972.

In Adobe Commerce versions 2.4.9-beta1, 2.4.8-p4, 2.4.7-p9, 2.4.6-p14, 2.4.5-p16, 2.4.4-p17 and earlier a low severity vulnerability CVE-2026-34685 was detected. This vulnerability allows a high-privileged attacker to bypass security measures and gain unauthorized write access (potentially leading to arbitrary file system writes). This occurs due to improper input validation. Exploitation of this issue requires user interaction, meaning a victim must visit a maliciously crafted URL or interact with a compromised web page. To address this issue, users should upgrade Adobe Commerce to version 2.4.9 or higher. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-34685.

In PrestaShop versions prior to 8.2.4 and 9.0.3 a medium severity vulnerability CVE-2026-25597 was detected. This vulnerability allows attackers to perform time-based user enumeration in the front-office login form by measuring response time differences to determine whether a customer account exists. To address this issue, users should upgrade PrestaShop to versions 8.2.4, 9.0.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-25597.

In WooCommerce versions prior to and including 10.0.2 a medium severity vulnerability CVE-2025-49042 was detected. This vulnerability allows remote attackers to perform stored cross-site scripting (XSS) due to improper neutralization of input during web page generation. To fix this vulnerability, users should upgrade to a version later than 10.0.2. For more details, visit https://avd.aquasec.com/nvd/2025/cve-2025-49042.

In Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier a high severity vulnerability CVE-2025-54236 was detected. This vulnerability is caused by improper input validation and allows attackers to achieve session takeover, with a high impact on confidentiality and integrity. To address this issue, users should upgrade Adobe Commerce to version 2.4.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-54236.

In Liferay Portal versions 7.4.3.120 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43740 was detected. This vulnerability allows an authenticated attacker to inject JavaScript through the message boards feature available via the web interface. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.6 or 2025.Q2.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43740.

In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43739 was detected. This vulnerability allows an authenticated attacker to modify the content of emails sent through the calendar portlet, which enables them to send phishing emails to other users in the same organization. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q2.0 or 2025.Q1.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43739.

In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 a medium severity vulnerability CVE-2025-43738 was detected. This vulnerability allows an authenticated attacker to inject JavaScript code via the _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2025.Q1.6 or 2025.Q2.9. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43738.

In Liferay Portal versions 7.4.0 through 7.4.3.132, and Liferay DXP versions 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 a medium severity vulnerability CVE-2025-43742 was detected. This vulnerability allows attackers to inject JavaScript into web content for friendly URLs. To address this issue, users should upgrade Liferay Portal to master branch and Liferay DXP to versions 2024.Q1.15, 2025.Q1.4 or 2025.Q2.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-43742.