| CVE-2025-14880 | Netcash WooCommerce Payment Gateway <= 4.1.3 - Missing Authorization to Unauthenticated Order Status Modification | netcashpaynow | Netcash WooCommerce Payment Gateway | Medium | 5.3 | 2026-01-14 05:28:10 | Deep Dive |
| CVE-2026-0678 | Shipping Rates by City for WooCommerce <= 1.0.3 - Authenticated (Shop Manager+) SQL Injection via 'cities' Parameter | logiceverest | Shipping Rates by City for WooCommerce | Medium | 4.9 | 2026-01-14 05:28:08 | Deep Dive |
| CVE-2025-14301 | Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal | woosaai | Integration Opvius AI for WooCommerce | Critical | 9.8 | 2026-01-14 05:28:06 | Deep Dive |
| CVE-2025-14948 | miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 - Missing Authorization to Unauthenticated Notification Settings Modification | cyberlord92 | miniOrange OTP Verification and SMS Notification for WooCommerce | Medium | 5.3 | 2026-01-10 07:03:56 | Deep Dive |
| CVE-2025-13457 | WooCommerce Square <= 5.1.1 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id | woocommerce | WooCommerce Square | High | 7.5 | 2026-01-10 03:21:01 | Deep Dive |
| CVE-2025-14886 | Japanized for WooCommerce <= 2.7.17 - Missing Authorization to Unauthenticated Order Status Modification | shoheitanaka | Japanized for WooCommerce | Medium | 5.3 | 2026-01-09 04:31:05 | Deep Dive |
| CVE-2025-14436 | Brevo for WooCommerce <= 4.0.49 - Unauthenticated Stored Cross-Site Scripting | neeraj_slit | Brevo for WooCommerce | High | 7.2 | 2026-01-08 21:21:55 | Deep Dive |
| CVE-2025-22713 | WordPress WooCommerce Orders & Customers Exporter plugin <= 5.4 - SQL Injection vulnerability | vanquish | WooCommerce Orders & Customers Exporter | High | 8.5 | 2026-01-08 09:17:39 | Deep Dive |
| CVE-2025-14460 | Piraeus Bank WooCommerce Payment Gateway <= 3.1.4 - Missing Authorization to Unauthenticated Arbitrary Order Status Change | enartia | Piraeus Bank WooCommerce Payment Gateway | Medium | 5.3 | 2026-01-07 09:21:05 | Deep Dive |
| CVE-2025-13974 | Email Customizer for WooCommerce | Drag and Drop Email Templates Builder <= 2.6.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via Email Template Content | themehigh | Email Customizer for WooCommerce | Drag and Drop Email Templates Builder | Medium | 4.4 | 2026-01-07 09:21:04 | Deep Dive |
| CVE-2025-14070 | Reviewify <= 1.0.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary WooCommerce Coupon Creation | xfinitysoft | Reviewify — Review Discounts & Photo/Video Reviews for WooCommerce | High | 7.5 | 2026-01-07 09:21:01 | Deep Dive |
| CVE-2025-14626 | QR Code for WooCommerce order emails, PDF invoices, packing slips <= 1.9.42 - Authenticated (Contributor+) Cross-Site Scripting via Shortcode Attributes | www15to | QR Code for WooCommerce order emails, PDF invoices, packing slips | Medium | 6.4 | 2026-01-07 09:20:57 | Deep Dive |
| CVE-2025-13369 | Premmerce WooCommerce Customers Manager <= 1.1.14 - Reflected Cross-Site Scripting | premmerce | Premmerce WooCommerce Customers Manager | Medium | 6.1 | 2026-01-07 07:17:34 | Deep Dive |
| CVE-2026-0656 | iPaymu Payment Gateway for WooCommerce <= 2.0.2 - Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure | ipaymu | iPaymu Payment Gateway for WooCommerce | High | 8.2 | 2026-01-07 06:36:03 | Deep Dive |
| CVE-2025-14875 | HBLPAY Payment Gateway for WooCommerce <= 5.0.0 - Reflected Cross-Site Scripting via 'cusdata' Parameter | hblpay | HBLPAY Payment Gateway for WooCommerce | Medium | 6.1 | 2026-01-07 06:35:58 | Deep Dive |
| CVE-2025-14059 | EmailKit <= 1.6.1 - Authenticated (Author+) Arbitrary File Read via Path Traversal | roxnor | EmailKit – Email Customizer for WooCommerce & WP | Medium | 6.5 | 2026-01-07 03:21:04 | Deep Dive |
| CVE-2025-14891 | Customer Reviews for WooCommerce <= 5.93.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via displayName Parameter | ivole | Customer Reviews for WooCommerce | Medium | 6.4 | 2026-01-07 03:21:03 | Deep Dive |
| CVE-2025-69334 | WordPress Wishlist for WooCommerce plugin <= 3.3.0 - Cross Site Scripting (XSS) vulnerability | WPFactory | Wishlist for WooCommerce | 中危 | - | 2026-01-06 16:36:38 | Deep Dive |
| CVE-2025-14441 | Popupkit <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | Medium | 4.3 | 2026-01-06 04:31:56 | Deep Dive |
| CVE-2025-14034 | ilGhera Support System for WooCommerce <= 1.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Deletion | ghera74 | ilGhera Support System for WooCommerce | Medium | 5.3 | 2026-01-06 03:21:41 | Deep Dive |