| CVE-2026-2019 | Cart All In One For WooCommerce <= 1.1.21 - Authenticated (Administrator+) Code Injection via 'sc_assign_page' Setting | villatheme | Cart All In One For WooCommerce | High | 7.2 | 2026-02-18 06:42:39 | Deep Dive |
| CVE-2026-1906 | PDF Invoices & Packing Slips for WooCommerce <= 5.6.0 - Missing Authorization to Authenticated (Subscriber+) Peppol Identifier Modification | wpovernight | PDF Invoices & Packing Slips for WooCommerce | Medium | 4.3 | 2026-02-18 05:29:17 | Deep Dive |
| CVE-2026-1925 | EmailKit – Email Customizer for WooCommerce & WP <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Title Modification | roxnor | EmailKit – Email Customizer for WooCommerce & WP | Medium | 4.3 | 2026-02-18 04:35:47 | Deep Dive |
| CVE-2026-1714 | ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action | devitemsllc | ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin | High | 8.6 | 2026-02-18 04:35:46 | Deep Dive |
| CVE-2025-12075 | Order Splitter for WooCommerce <= 5.3.5 - Missing Authorization to Authenticated (Subscriber+) Order Information Exposure | fahadmahmood | Order Splitter for WooCommerce | Medium | 4.3 | 2026-02-18 04:35:44 | Deep Dive |
| CVE-2026-1258 | Mail Mint <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints | getwpfunnels | Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails | Medium | 4.9 | 2026-02-14 08:26:48 | Deep Dive |
| CVE-2026-1988 | Flexi Product Slider and Grid for WooCommerce <= 1.0.5 - Authenticated (Contributor+) Local File Inclusion via 'theme' Shortcode Attribute | wpdecent | Flexi Product Slider and Grid for WooCommerce | High | 7.5 | 2026-02-14 06:42:38 | Deep Dive |
| CVE-2026-0692 | BlueSnap Payment Gateway for WooCommerce <= 3.4.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Manipulation | bluesnap | BlueSnap Payment Gateway for WooCommerce | High | 7.5 | 2026-02-14 04:35:43 | Deep Dive |
| CVE-2026-1316 | Customer Reviews for WooCommerce <= 5.97.0 - Unauthenticated Stored Cross-Site Scripting via media[].href Parameter | ivole | Customer Reviews for WooCommerce | High | 7.2 | 2026-02-12 12:31:51 | Deep Dive |
| CVE-2025-13391 | Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) <= 4.9.60 - Missing Authorization to Unauthenticated Arbitrary Attachment and Dropbox File Deletion | MooMoo | Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) | Medium | 5.8 | 2026-02-11 16:25:10 | Deep Dive |
| CVE-2026-1826 | OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | openpos | OpenPOS Lite – Point of Sale for WooCommerce | Medium | 6.4 | 2026-02-11 08:26:28 | Deep Dive |
| CVE-2026-1748 | Invoct – PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authenticated (Subscriber+) Information Exposure | kirilkirkov | Invoct – PDF Invoices & Billing for WooCommerce | Medium | 4.3 | 2026-02-11 08:26:26 | Deep Dive |
| CVE-2025-15400 | OpenPix <= 2.13.3 - Subscriber+ Payment Gateway Settings Reset | Unknown | OpenPix for WooCommerce | - | - | 2026-02-11 06:00:04 | Deep Dive |
| CVE-2025-14895 | PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | Medium | 5.4 | 2026-02-10 09:26:06 | Deep Dive |
| CVE-2026-1722 | WCFM Marketplace <= 3.7.0 - Insecure Direct Object Reference to Unauthenticated Arbitrary Refund Request Creation | wclovers | WCFM Marketplace – Multivendor Marketplace for WooCommerce | Medium | 5.3 | 2026-02-10 07:27:01 | Deep Dive |
| CVE-2026-0845 | WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update | wclovers | WCFM – Frontend Manager for WooCommerce | High | 7.2 | 2026-02-09 23:23:28 | Deep Dive |
| CVE-2025-15147 | WCFM Membership – WooCommerce Memberships for Multivendor Marketplace <= 2.11.8 - Insecure Direct Object Reference to Update Membership Payment | wclovers | WCFM Membership – WooCommerce Memberships for Multivendor Marketplace | Medium | 4.3 | 2026-02-09 23:23:28 | Deep Dive |
| CVE-2025-13192 | Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | High | 8.2 | 2026-02-04 23:22:57 | Deep Dive |
| CVE-2026-1370 | SIBS - WooCommerce <= 2.2.0 - Authenticated (Admin+) SQL Injection via 'referencedId' Parameter | comprassibs | SIBS woocommerce payment gateway | Medium | 4.9 | 2026-02-04 08:25:33 | Deep Dive |
| CVE-2026-0679 | Fortis for WooCommerce <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint | fortispay | Fortis for WooCommerce | Medium | 5.3 | 2026-02-04 08:25:32 | Deep Dive |