Platform
wordpress
Component
profit-products-tables-for-woocommerce
Fixed in
1.0.7
CVE-2024-10959 describes an arbitrary shortcode execution vulnerability discovered in the Active Products Tables for WooCommerce plugin. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially compromising the entire WordPress site. The vulnerability affects versions up to and including 1.0.6.5, and a patch is available from the plugin developer.
The impact of this vulnerability is significant. Successful exploitation allows an attacker to execute arbitrary shortcodes on the WordPress site without authentication. This could lead to a wide range of malicious activities, including defacement, malware injection, data theft, and even complete site takeover. Attackers could leverage this to inject malicious code into the site's content, redirect users to phishing pages, or gain access to sensitive data stored within the WordPress database. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures, making this a particularly dangerous vulnerability.
This vulnerability was publicly disclosed on December 10, 2024. While no active exploitation campaigns have been confirmed, the ease of exploitation and the availability of a public description increase the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge, further increasing the risk.
Exploit Status
EPSS
1.19% (79% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10959 is to immediately upgrade the Active Products Tables for WooCommerce plugin to the latest available version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement a Web Application Firewall (WAF) rule to block requests to the wootgetsmth AJAX action. Regularly review WordPress plugin security and consider using a security plugin to scan for vulnerabilities.
Actualice el plugin Active Products Tables for WooCommerce a la última versión disponible. La vulnerabilidad permite la ejecución de shortcodes arbitrarios por usuarios no autenticados, por lo que es crucial actualizar para mitigar el riesgo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10959 is a vulnerability in the Active Products Tables for WooCommerce plugin that allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to site takeover. It affects versions up to 1.0.6.5.
If you are using Active Products Tables for WooCommerce version 1.0.6.5 or earlier, you are potentially affected by this vulnerability. Check your plugin version and upgrade immediately.
The recommended fix is to upgrade the Active Products Tables for WooCommerce plugin to the latest available version. Consult the plugin developer's website for the updated version.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a potential target. Monitor your site for suspicious activity.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.