Unauthorized Post Title Modification Vulnerability in WooCommerce Product Table Lite
CVE-2024-6458
6.4MEDIUM
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 27 July 2024
Summary
The WooCommerce Product Table Lite plugin for WordPress is vulnerable to unauthorized post title modification due to a missing capability check on the wcpt_presets__duplicate_preset_to_table function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers with subscriber access and above to change titles of arbitrary posts. Missing sanitization can lead to Stored Cross-Site Scripting when viewed by an admin via the WooCommerce Product Table.
Affected Version(s)
WooCommerce Product Table Lite * <= 3.5.1
References
CVSS V3.1
Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Lucio Sá