The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. The same 'id' parameter is vulnerable to Reflected Cross-Site Scripting as well.
History

Tue, 26 Nov 2024 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wcproducttable woocommerce Product Table
CPEs cpe:2.3:a:wcproducttable:woocommerce_product_table:*:*:*:*:lite:wordpress:*:*
Vendors & Products Wcproducttable woocommerce Product Table

Wed, 20 Nov 2024 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Wcproducttable
Wcproducttable woocommerce Product Table Lite
CPEs cpe:2.3:a:wcproducttable:woocommerce_product_table_lite:*:*:*:*:*:wordpress:*:*
Vendors & Products Wcproducttable
Wcproducttable woocommerce Product Table Lite
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 20 Nov 2024 07:00:00 +0000

Type Values Removed Values Added
Description The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. The same 'id' parameter is vulnerable to Reflected Cross-Site Scripting as well.
Title WooCommerce Product Table Lite <= 3.8.6 - Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-11-20T06:42:56.080Z

Updated: 2024-11-20T20:24:29.071Z

Reserved: 2024-11-05T19:15:21.504Z

Link: CVE-2024-10899

cve-icon Vulnrichment

Updated: 2024-11-20T20:24:22.890Z

cve-icon NVD

Status : Analyzed

Published: 2024-11-20T07:15:08.260

Modified: 2024-11-26T21:01:21.643

Link: CVE-2024-10899

cve-icon Redhat

No data.