Reflected Cross-Site Scripting in WooCommerce Plugin Due to Insufficient Input Sanitization
CVE-2025-0864

6.1MEDIUM

Key Information:

Vendor
WordPress
Status
Active Products Tables For WooCommerce. Use Constructor To Create Tables
Vendor
CVE Published:
18 February 2025

Summary

The Active Products Tables for WooCommerce plugin is susceptible to Reflected Cross-Site Scripting, enabling attackers to exploit the 'shortcodes_set' parameter. This vulnerability arises from inadequate input sanitization and output escaping practices. As a result, unauthorized attackers could potentially inject malicious scripts into web pages. If a user is deceived into clicking a crafted link, the injected scripts may execute within their browser context, compromising user information and site integrity.

Affected Version(s)

Active Products Tables for WooCommerce. Use constructor to create tables * <= 1.0.6.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/profit-product...
https://plugins.trac.wordpress.org/browser/profit-product...

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Brian Sans-Souci
.