Platform
wordpress
Component
wc-product-table-lite
Fixed in
3.8.7
CVE-2024-10899 describes a Cross-Site Scripting (XSS) vulnerability within the WooCommerce Product Table Lite plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to malicious code injection and compromise of the website. The vulnerability impacts versions of the plugin up to and including 3.8.6, and a patch is available from the vendor.
The primary impact of CVE-2024-10899 is the ability for an attacker to inject and execute arbitrary shortcodes. This can be leveraged to inject malicious JavaScript code into the website, which could then be executed in the browsers of legitimate users. Successful exploitation could lead to account takeover, data theft (including sensitive user information), and defacement of the website. The 'id' parameter's vulnerability to Reflected Cross-Site Scripting further expands the attack surface, allowing attackers to craft malicious URLs that, when visited, execute the injected code. This vulnerability is particularly concerning given the widespread use of WordPress and WooCommerce plugins.
CVE-2024-10899 was publicly disclosed on November 20, 2024. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the potential impact make it a high-priority vulnerability. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.71% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10899 is to upgrade the WooCommerce Product Table Lite plugin to a version patched against this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests containing potentially malicious shortcodes. Additionally, carefully review and sanitize all user inputs to prevent the injection of shortcode commands. Regularly scan your WordPress installation for vulnerable plugins using security scanning tools.
Actualice el plugin WooCommerce Product Table Lite a la última versión disponible. La vulnerabilidad permite la ejecución de shortcodes arbitrarios y XSS, por lo que es crucial actualizar para proteger su sitio web.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10899 is a Cross-Site Scripting vulnerability affecting WooCommerce Product Table Lite versions up to 3.8.6, allowing attackers to execute arbitrary shortcodes.
Yes, if you are using WooCommerce Product Table Lite version 3.8.6 or earlier, you are vulnerable to this XSS attack.
Upgrade WooCommerce Product Table Lite to the latest version, which includes a patch for this vulnerability. Consider WAF rules as an interim measure.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a high-priority risk.
Refer to the WooCommerce Product Table Lite plugin documentation and website for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.