Scan free
HIGHCVE-2026-34902CVSS 7.2

CVE-2026-34902: XSS in Product Table WooCommerce Lite

Platform

wordpress

Component

wc-product-table-lite

Fixed in

4.6.4

AI Confidence: highNVDReviewed: May 2026
View on NVD
Save

CVE-2026-34902 describes a Stored Cross-Site Scripting (XSS) vulnerability present in the Product Table and List Builder for WooCommerce Lite plugin for WordPress. This flaw allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to session hijacking or defacement. The vulnerability affects versions up to and including 4.6.3, and a patch is available in version 4.6.4.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of this XSS vulnerability is significant. An attacker could inject malicious JavaScript code into the plugin's output, which would then be executed in the browsers of any user visiting a page containing the injected script. This could allow the attacker to steal user cookies, redirect users to phishing sites, or even deface the website. Given the plugin's functionality – displaying product tables – this vulnerability could affect numerous pages across an e-commerce site, significantly expanding the attack surface. The lack of authentication required to exploit the vulnerability further increases the risk, as any visitor can potentially trigger the attack.

Exploitation Context

CVE-2026-34902 was publicly disclosed on 2026-04-07. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of this writing. The vulnerability's ease of exploitation, combined with the plugin's popularity, suggests it could become a target for opportunistic attackers.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N7.2HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentwc-product-table-lite
Vendorwordfence
Affected rangeFixed in
4.6.34.6.4

Package Information

Active installs
10KNiche
Plugin rating
4.9
Requires WordPress
4.9+
Compatible up to
7.0.0
Requires PHP
7.4+
Homepage

Weakness Classification (CWE)

CWE-79

Timeline

  1. Published
  2. Modified

Mitigation and Workarounds

The primary mitigation for CVE-2026-34902 is to immediately upgrade the Product Table and List Builder for WooCommerce Lite plugin to version 4.6.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input. Specifically, look for patterns indicative of JavaScript injection attempts. Additionally, carefully review any user-supplied data used within the plugin and ensure proper input sanitization and output escaping are implemented. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the plugin’s input fields and verifying that the script does not execute.

How to fix

Update to version 4.6.4, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-34902 — XSS in Product Table WooCommerce Lite?

CVE-2026-34902 is a Stored Cross-Site Scripting (XSS) vulnerability in the Product Table and List Builder for WooCommerce Lite plugin, allowing attackers to inject malicious scripts.

Am I affected by CVE-2026-34902 in Product Table WooCommerce Lite?

You are affected if you are using Product Table and List Builder for WooCommerce Lite version 4.6.3 or earlier. Upgrade to 4.6.4 to mitigate the risk.

How do I fix CVE-2026-34902 in Product Table WooCommerce Lite?

Upgrade the plugin to version 4.6.4 or later. Consider a WAF rule as a temporary workaround if immediate upgrade is not possible.

Is CVE-2026-34902 being actively exploited?

There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.

Where can I find the official Product Table WooCommerce Lite advisory for CVE-2026-34902?

Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs