WooCommerce Plugin for WordPress contains a flaw that allows a cross-site scripting (XSS) attack. This flaw exists because the program does not validate input to tooltips before returning it to users. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server.

WooCommerce Plugin for WordPress contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the Tax Settings page not properly sanitizing user-supplied input to the ‘tax_rate_country’ parameter. This may allow an authenticated remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.