PT-2025-2187 · WordPress · Woocommerce Product Table Lite
Michael Mazzolini
+1
·
Published
2025-01-31
·
Updated
2025-02-11
·
CVE-2024-13472
CVSS v3.1
7.3
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
WooCommerce Product Table Lite plugin for WordPress versions up to, and including, 3.9.4
Description
The issue allows unauthenticated attackers to execute arbitrary shortcodes due to the software not properly validating a value before running
do shortcode(). The same sc attrs parameter is also vulnerable to Reflected Cross-Site Scripting. This makes it possible for attackers to execute arbitrary shortcodes.Recommendations
For versions up to, and including, 3.9.4, update to a version later than 3.9.4 to resolve the issue. As a temporary workaround, consider restricting access to the
sc attrs parameter to minimize the risk of exploitation. Avoid using the sc attrs parameter in affected shortcodes until the issue is resolved.Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Woocommerce Product Table Lite