E-commerce

In WooCommerce Support Ticket System plugin for WordPress, versions 17.8 and prior a medium severity vulnerability CVE-2024-13775 was detected. This allows attackers with Subscriber-level access or higher to delete posts and access user data. To address this issue, users should upgrade WooCommerce Support Ticket System plugin to version 17.9 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-13775.

In Prestashop versions 8.1.7 a medium severity vulnerability CVE-2025-1230 was detected. This vulnerability allows attackers to exploit a Stored Cross-Site Scripting (XSS) flaw due to the lack of proper validation of user input through ‘//index.php’, affecting the ‘link’ parameter, which could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-1230.

In WooCommerce Wishlist versions before 1.8.8 a high severity vulnerability CVE-2024-13694 was detected. This vulnerability allows unauthenticated attackers to extract data from wishlists they should not have access to, due to missing validation on a user-controlled key in the download_pdf_file() function. To address this issue, users should upgrade to version 1.8.8 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-13694.

In WooCommerce PDF Invoices, Packing Slips, Delivery Notes, and Shipping Labels plugin versions 4.7.1 and prior a medium severity vulnerability CVE-2025-24644 was detected. This vulnerability allows attackers to execute a stored cross-site scripting (XSS) attack due to improper neutralization of input during web page generation. To address this issue, users should update the WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels plugin to version 4.7.2. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24644.

In WC Product Table WooCommerce Product Table Lite versions 3.8.7 and prior a medium severity vulnerability CVE-2025-24596 was detected. This vulnerability allows attackers to exploit incorrectly configured access control security levels, leading to unauthorized actions. To address this issue, users should upgrade WordPress WooCommerce Product Table Lite wordpress plugin to a version 3.9.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-24596.

In MIMO Woocommerce Order Tracking Plugin versions up to 1.0.2 a medium severity vulnerability CVE-2024-5769 was detected. This vulnerability allows authenticated attackers with Subscriber-level access or higher to modify shipper tracking settings due to missing capability checks on several functions. There is no patched version available at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-5769.

In Ultimate Gift Cards for WooCommerce Plugin versions up to 2.9.1 a high severity vulnerability CVE-2024-11423 was detected. This vulnerability allows unauthenticated attackers to modify gift card balances via several REST API endpoints, such as /wp-json/gifting/recharge-giftcard, without making a payment or purchasing anything. To address this issue, users should upgrade to version 2.9.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11423.

In Shipping via Planzer for WooCommerce Plugin versions up to 1.0.25 a medium severity vulnerability CVE-2024-12337 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘processed-ids’ parameter due to insufficient input sanitization and output escaping. To address this issue, users should upgrade to version 1.0.26 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12337.

In Deliver via Shipos for WooCommerce plugin versions up to 2.1.7 a medium severity vulnerability CVE-2024-12222 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via the ‘dvsfw_bulk_label_url’ parameter due to insufficient input sanitization and output escaping. At the moment, there is no patched version available. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12222.