Arbitrary Shortcode Execution Vulnerability in WooCommerce Tables
CVE-2024-10959

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Active Products Tables For WooCommerce. Use Constructor To Create Tables
Vendor: CVE Published:; 10 December 2024

Summary

The Active Products Tables plugin for WooCommerce presents a security vulnerability that permits arbitrary shortcode execution through the woot_get_smth AJAX action. This issue arises from inadequate validation of user input prior to executing do_shortcode commands. Consequently, unauthenticated attackers can exploit this flaw in all versions up to and including 1.0.6.5, potentially leading to unauthorized execution of shortcodes, which could compromise the integrity and security of affected WordPress sites. Website administrators are strongly encouraged to update their installations immediately to mitigate any risks associated with this vulnerability.

Affected Version(s)

Active Products Tables for WooCommerce. Use constructor to create tables * <= 1.0.6.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/profit-product...

https://wordpress.org/plugins/profit-products-tables-for-...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 10, 2024
Vulnerability Reserved
Nov 7, 2024

Credit

Arkadiusz Hydzik