Remote Code Execution Vulnerability in Product Table plugin for WordPress
CVE-2024-6365

9.8CRITICAL

Key Information:

Vendor
Wordpress
Status
Product Table By Wbw
Vendor
CVE Published:
9 July 2024

Summary

The WBW Product Table plugin for WordPress is exposed to a Remote Code Execution vulnerability, allowing unauthorized users to execute arbitrary code on the server. This vulnerabilities stem from the 'saveCustomTitle' function, which lacks necessary authorization checks and sanitization processes for data inputs, particularly in the languages/customTitle.php file. Attackers can exploit this flaw to compromise the server's integrity, emphasizing the need for immediate updates and security measures for all installations of version 2.0.1 and prior.

Affected Version(s)

Product Table by WBW * <= 2.0.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/woo-product-ta...
https://plugins.trac.wordpress.org/browser/woo-product-ta...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Friderika Baranyai
.