PatchSiren

WooCommerce CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL WooCommerce CVE published 2026-06-20

CVE-2022-50972

CVE-2022-50972 is a critical remote code execution vulnerability in WooCommerce 7.1.0. The vulnerability allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. This is achieved by sending requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values, enabling the writing of malicious PHP files to the web root. The [truncated]

MEDIUM woocommerce CVE published 2026-06-16

CVE-2026-2381

The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0. This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only vali [truncated]

HIGH woocommerce CVE published 2026-05-23

CVE-2026-9284

The WooCommerce PayPal Payments plugin for WordPress contains missing authorization checks on two WC-AJAX endpoints (`ppc-create-order` and `ppc-get-order`) in versions up to and including 4.0.1. The `ppc-create-order` endpoint accepts arbitrary WooCommerce order IDs in the `pay-now` context without validating order ownership, allowing unauthenticated attackers to create PayPal orders for any WC order and [truncated]