WooCommerce is the open-source ecommerce platform for WordPress.
Our core platform is free, flexible, and amplified by a global community. The freedom of open-source means you retain full ownership of your store’s content and data forever.
Whether you’re launching a business, taking brick-and-mortar retail online, or developing sites for clients, use WooCommerce for a store that powerfully blends content and commerce.
- Create beautiful, enticing storefronts with themes suited to your brand and industry.
- Increase revenue with an optimized shopping cart experience that converts.
- Customize product pages in minutes using modular product blocks.
- Showcase physical and digital goods, product variations, custom configurations, instant downloads, and affiliate items.
- Sell subscriptions, bookings, or memberships, with our developer-vetted extensions.
- Rise to the top of search results by leveraging WordPress’ SEO advantage.
- Build on a platform that scales. Get flexible ecommerce for high-volume stores.
ALL THE TOOLS YOU NEED TO SELL
Built-in tools and popular integrations help you efficiently manage your business operations. Many services are free to add with a single click via the optional Setup Wizard.
- Choose how you want to get paid. Conveniently manage payments from the comfort of your store with WooPayments (Available in the U.S., U.K., Ireland, Australia, New Zealand, Canada, Spain, France, Germany, and Italy). Securely accept credit cards, mobile wallets, bank transfers, and cash thanks to 100+ payment gateways – including Stripe, PayPal, and Square.
- Configure your shipping options. Print USPS labels right from your dashboard and even schedule a pickup with WooCommerce Shipping (U.S.-only). Connect with well-known carriers such as UPS and FedEx – plus a wide variety of delivery, inventory, and fulfillment solutions for your locale.
- Simplify sales tax. Add WooCommerce Tax or similar integrated services to make automated calculations a reality.
Grow your business, add features, and monitor your store on the go
WooCommerce means business. Keep tabs on the performance metrics most important to you with a powerful and flexible central dashboard built into WooCommerce.
Expand your audience across marketing and social channels with Google Ads, HubSpot, Mailchimp, and Facebook integrations. You can always check out the in-dashboard Marketing Hub for fresh ideas and tips to help you succeed.
Enhance store functionality with hundreds of free and paid extensions from the WooCommerce Marketplace. Our developers vet each new extension and regularly review existing extensions to maintain Marketplace quality standards. We are actively looking for products that help store builders create successful stores.
Manage your store from anywhere with the free WooCommerce mobile app (Android and iOS). Spoiler alert: Keep an ear out for the slightly addictive “cha-ching” notification sound each time you make a new sale!
Own and control your store data – forever
With WooCommerce, your data belongs to you. Always.
If you opt to share usage data with us, you can feel confident knowing that it’s anonymized and kept secure. Choose to opt-out at any time without impacting your store.
Unlike hosted ecommerce solutions, WooCommerce store data is future-proof; you’re free to export all your content and take your site to any platform you choose. No restrictions.
Why developers choose (and love) WooCommerce
Developers can use WooCommerce to create, customize, and scale a store to meet a client’s exact specifications, making enhancements through extensions or custom solutions.
- Leverage hooks and filters to modify or create functionality.
- Integrate virtually any service using a robust REST API and webhooks.
- Design and build custom content blocks with React.
- Inspect and modify any aspect of the core plugin code.
- Speed up development with a lightning-fast CLI.
The core platform is tested rigorously and often, supported by a dedicated development team working across time zones. Comprehensive documentation is updated with each release, empowering you to build exactly the store required.
Be part of our growing international community
WooCommerce has a large, passionate community dedicated to helping merchants succeed – and it’s growing fast.
There are WooCommerce Meetups in locations around the world that you can attend for free and even get involved in running. These events are a great way to learn from others, share your expertise, and connect with like-minded folks.
WooCommerce also has a regular presence at WordCamps across the globe – we’d love to meet you.
Contribute and translate
WooCommerce is developed and supported by Automattic, the creators of WordPress.com and Jetpack. We also have hundreds of independent contributors, and there’s always room for more. Head to the WooCommerce GitHub Repository to find out how you can pitch in.
WooCommerce is translated into multiple languages, including Danish, Ukrainian, and Persian. Help localize WooCommerce even further by adding your locale – visit translate.wordpress.org.
Connection to WooCommerce.com
You can connect your store to WooCommerce.com to manage your subscriptions on WooCommerce Marketplace and receive product updates without leaving WordPress admin. Connection also enables installation of purchased products right from WooCommerce.com and streamlines access to technical support. If you’d like to learn about what data is gathered and how it is used, please refer to our Privacy Policy.
CVE History
| CVE | Affected | Published | CVSS v3 | CVSS v2 |
|---|---|---|---|---|
| — | 9.8 CRITICAL | — | ||
WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type values to write malicious PHP files to the web root. | ||||
| < 9.3.4, = *, >= 9.4.0, < 9.4.3 | 6.1 MEDIUM | — | ||
The WooCommerce plugin for WordPress is vulnerable to PostMessage-Based Cross-Site Scripting via the 'customize-store' page in all versions up to, and including, 9.4.2 due to insufficient input sanitization and output escaping on PostMessage data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| < 9.1.0 | 5.3 MEDIUM | — | ||
The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will render when the administrator views order form submissions. | ||||
| >= 8.9.0, < 8.9.3, >= 8.8, < 8.8.5 | 5.4 MEDIUM | — | ||
WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature. | ||||
| < 6.2.1 | 4.3 MEDIUM | — | ||
The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment | ||||
| <= 8.2.2 | 4.3 MEDIUM | — | ||
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.2.2. | ||||
| <= 1.3.25 | 5.9 MEDIUM | — | ||
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI Websolution Product page shipping calculator for WooCommerce plugin <= 1.3.25 versions. | ||||
| < 6.6.0 | 4.8 MEDIUM | 3.5 LOW | ||
The WooCommerce WordPress plugin before 6.6.0 is vulnerable to stored HTML injection due to lack of escaping and sanitizing in the payment gateway titles | ||||
| >= 3.3.0, < 3.3.6, >= 5.5.0, < 5.5.1, >= 5.4.0, < 5.4.2, >= 5.3.0, < 5.3.1, >= 5.2.0, < 5.2.3, >= 4.4.0, < 4.4.2, >= 4.5.0, < 4.5.3, >= 4.6.0, < 4.6.3, >= 4.7.0, < 4.7.2, >= 3.4.0, < 3.4.8, >= 3.5.0, < 3.5.9, >= 3.6.0, < 3.6.6, >= 3.7.0, < 3.7.2, >= 3.8.0, < 3.8.2, >= 3.9.0, < 3.9.4, >= 4.0.0, < 4.0.2, >= 4.1.0, < 4.1.2, >= 4.2.0, < 4.2.3, >= 4.3.0, < 4.3.4, >= 4.8.0, < 4.8.1, >= 4.9.0, < 4.9.3, >= 5.0.0, < 5.0.1, >= 5.1.0, < 5.1.1 | 4.9 MEDIUM | 4 MEDIUM | ||
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading. | ||||
| < 5.2.0 | 4.8 MEDIUM | 3.5 LOW | ||
When taxes are enabled, the "Additional tax classes" field was not properly sanitised or escaped before being output back in the admin dashboard, allowing high privilege users such as admin to use XSS payloads even when the unfiltered_html is disabled | ||||
| < 4.7.0 | 5.3 MEDIUM | 5 MEDIUM | ||
The WooCommerce plugin before 4.7.0 for WordPress allows remote attackers to view the status of arbitrary orders via the order_id parameter in a fetch_order_status action. | ||||
| < 3.6.5 | 8.8 HIGH | 6.8 MEDIUM | ||
WooCommerce before 3.6.5, when it handles CSV imports of products, has a cross-site request forgery (CSRF) issue with resultant stored cross-site scripting (XSS) via includes/admin/importers/class-wc-product-csv-importer-controller.php. | ||||
| < 3.5.5 | — | 4.3 MEDIUM | ||
WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. | ||||
| < 3.4.6 | — | 5.5 MEDIUM | ||
The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin. | ||||
| = *, < 3.2.4 | — | 6.5 MEDIUM | ||
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes. | ||||
| < 2.3.6 | — | 4.3 MEDIUM | ||
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.3.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted order. | ||||
| <= 2.6.8 | — | 3.5 LOW | ||
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. | ||||
| <= 2.2.10 | — | 4.3 MEDIUM | ||
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.2.11 for WordPress allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING in the wc-reports page to wp-admin/admin.php. | ||||
| — | — | 4.3 MEDIUM | ||
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the range parameter on the wc-reports page to wp-admin/admin.php. | ||||