Arbitrary Shortcode Execution Vulnerability in WooCommerce Product Table Lite by WordPress
CVE-2024-13472

7.3HIGH

Key Information:

Vendor: WordPress
Status: WooCommerce Product Table Lite
Vendor: CVE Published:; 31 January 2025

Summary

The WooCommerce Product Table Lite plugin for WordPress is susceptible to arbitrary shortcode execution due to insufficient validation in handling user inputs. This vulnerability affects all plugin versions up to and including 3.9.4. An unauthenticated attacker can exploit the flaw by executing arbitrary shortcodes through the unvalidated 'sc_attrs' parameter. Additionally, this parameter is also prone to reflected cross-site scripting, which can further compromise the security of the affected site. It is critical for users of this plugin to implement necessary security measures to mitigate potential attacks.

Affected Version(s)

WooCommerce Product Table Lite * <= 3.9.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wc-product-table-lite/#deve...

https://plugins.trac.wordpress.org/browser/wc-product-tab...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 31, 2025
Vulnerability Reserved
Jan 16, 2025

Credit

Michael Mazzolini