| CVE-2025-66109 | WordPress Cart Weight for WooCommerce plugin <= 1.9.11 - Broken Access Control vulnerability | Octolize Shipping Plugins | Cart Weight for WooCommerce | Medium | 5.3 | 2025-11-21 12:30:05 | Deep Dive |
| CVE-2025-66089 | WordPress Product Feed for WooCommerce plugin <= 2.3.1 - Broken Access Control vulnerability | WebToffee | Product Feed for WooCommerce | Medium | 4.3 | 2025-11-21 12:29:59 | Deep Dive |
| CVE-2025-66071 | WordPress Custom Order Numbers for WooCommerce plugin <= 1.11.0 - Broken Access Control vulnerability | tychesoftwares | Custom Order Numbers for WooCommerce | Medium | 5.3 | 2025-11-21 12:29:56 | Deep Dive |
| CVE-2025-66069 | WordPress PPOM for WooCommerce plugin <= 33.0.16 - Broken Access Control vulnerability | Themeisle | PPOM for WooCommerce | Medium | 4.3 | 2025-11-21 12:29:56 | Deep Dive |
| CVE-2025-12964 | Magical Products Display <= 1.1.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via MPD Pricing Table Widget | nalam-1 | Magical Shop Builder – WooCommerce Template Builder for Elementor | Shop, Cart, Checkout & Product Page Builder | Medium | 6.4 | 2025-11-21 09:27:01 | Deep Dive |
| CVE-2025-13156 | Vitepos – Point of Sale (POS) for WooCommerce <= 3.3.0 - Authenticated (Subscriber+) Arbitrary File Upload to Remote Code Execution | appsbd | Vitepos – Point of Sale (POS) for WooCommerce | High | 8.8 | 2025-11-21 08:28:15 | Deep Dive |
| CVE-2025-12039 | BigBuy Dropshipping Connector for WooCommerce <= 2.0.5 - Unauthenticated IP Spoofing to phpinfo() Exposure | devsmip | BigBuy Dropshipping Connector for WooCommerce | Medium | 5.3 | 2025-11-21 08:28:12 | Deep Dive |
| CVE-2025-12881 | Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read | wpswings | Return Refund and Exchange For WooCommerce | Medium | 5.4 | 2025-11-21 07:31:53 | Deep Dive |
| CVE-2025-12086 | Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Refund Request Cancellation | wpswings | Return Refund and Exchange For WooCommerce | Medium | 4.3 | 2025-11-21 07:31:47 | Deep Dive |
| CVE-2025-5092 | Multiple Plugins and Themes <= (Various Versions) - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via lightGallery JavaScript Library | lightgalleryteam | LightGallery WP | Medium | 6.4 | 2025-11-20 06:38:42 | Deep Dive |
| CVE-2025-12878 | FunnelKit – Funnel Builder for WooCommerce Checkout <= 3.13.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via wfop_phone Shortcode | amans2k | FunnelKit – Funnel Builder for WooCommerce Checkout | Medium | 6.4 | 2025-11-19 05:45:14 | Deep Dive |
| CVE-2025-12349 | Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger | icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress | Medium | 5.3 | 2025-11-19 04:28:19 | Deep Dive |
| CVE-2025-12427 | YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename | yithemes | YITH WooCommerce Wishlist | Medium | 5.3 | 2025-11-19 03:29:40 | Deep Dive |
| CVE-2025-12777 | YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion | yithemes | YITH WooCommerce Wishlist | Medium | 5.3 | 2025-11-19 03:29:39 | Deep Dive |
| CVE-2025-12545 | Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more <= 1.49.2 - Unauthenticated Information Exposure | alekv | Pixel Manager for WooCommerce – Conversion Tracking, Google Ads, GA4, TikTok, Dynamic Remarketing | Medium | 5.3 | 2025-11-18 13:54:51 | Deep Dive |
| CVE-2025-12639 | wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce <= 1.2.2 - Missing Authorization to Sensitive Information Disclosure | sundayfanz | wModes – Catalog Mode, Product Pricing, Enquiry Forms & Promotions | for WooCommerce | Medium | 4.3 | 2025-11-18 09:27:39 | Deep Dive |
| CVE-2025-12392 | Cryptocurrency Payment Gateway for WooCommerce <= 2.0.25 - Missing Authorization to Unauthenticated Tracking Status Update | tripleatechnology | Cryptocurrency Payment Gateway for WooCommerce | Medium | 5.3 | 2025-11-18 09:27:39 | Deep Dive |
| CVE-2025-12955 | Live sales notification for WooCommerce <= 2.3.39 - Missing Authorization to Unauthenticated Customer Data Exposure | rajeshsingh520 | PiWeb Live sales notification for WooCommerce | High | 7.5 | 2025-11-18 09:27:37 | Deep Dive |
| CVE-2025-4212 | Checkout Files Upload for WooCommerce <= 2.2.1 - Unauthenticated Stored Cross-Site Scripting | wpwham | Checkout Files Upload for WooCommerce | High | 7.2 | 2025-11-18 09:27:36 | Deep Dive |
| CVE-2025-13088 | Category and Product Woocommerce Tabs <= 1.0 - Authenticated (Contributor+) Local File Inclusion | ikhodal | Category and Product Woocommerce Tabs | High | 8.8 | 2025-11-18 08:27:37 | Deep Dive |