Plateforme
wordpress
Composant
wc-product-table-lite
Corrigé dans
4.6.4
CVE-2026-34902 describes a Stored Cross-Site Scripting (XSS) vulnerability present in the Product Table and List Builder for WooCommerce Lite plugin for WordPress. This flaw allows unauthenticated attackers to inject arbitrary web scripts, potentially leading to session hijacking or defacement. The vulnerability affects versions up to and including 4.6.3, and a patch is available in version 4.6.4.
The impact of this XSS vulnerability is significant. An attacker could inject malicious JavaScript code into the plugin's output, which would then be executed in the browsers of any user visiting a page containing the injected script. This could allow the attacker to steal user cookies, redirect users to phishing sites, or even deface the website. Given the plugin's functionality – displaying product tables – this vulnerability could affect numerous pages across an e-commerce site, significantly expanding the attack surface. The lack of authentication required to exploit the vulnerability further increases the risk, as any visitor can potentially trigger the attack.
CVE-2026-34902 was publicly disclosed on 2026-04-07. Currently, there are no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on the CISA KEV catalog at the time of this writing. The vulnerability's ease of exploitation, combined with the plugin's popularity, suggests it could become a target for opportunistic attackers.
E-commerce websites utilizing the Product Table and List Builder for WooCommerce Lite plugin, particularly those running older versions (≤4.6.3), are at significant risk. Shared hosting environments where plugin updates are managed centrally are also at increased risk, as they may be slower to apply security patches.
• wordpress / composer / npm:
grep -r '<script>' /var/www/wordpress/wp-content/plugins/product-table-and-list-builder-for-woocommerce-lite/• wordpress / composer / npm:
wp plugin list --status=active | grep 'product-table-and-list-builder-for-woocommerce-lite'• wordpress / composer / npm:
wp plugin update product-table-and-list-builder-for-woocommerce-lite• generic web: Inspect product table pages for unexpected JavaScript behavior or alerts.
disclosure
Statut de l'Exploit
Vecteur CVSS
The primary mitigation for CVE-2026-34902 is to immediately upgrade the Product Table and List Builder for WooCommerce Lite plugin to version 4.6.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious input. Specifically, look for patterns indicative of JavaScript injection attempts. Additionally, carefully review any user-supplied data used within the plugin and ensure proper input sanitization and output escaping are implemented. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) through the plugin’s input fields and verifying that the script does not execute.
Mettre à jour vers la version 4.6.4, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-34902 is a Stored Cross-Site Scripting (XSS) vulnerability in the Product Table and List Builder for WooCommerce Lite plugin, allowing attackers to inject malicious scripts.
You are affected if you are using Product Table and List Builder for WooCommerce Lite version 4.6.3 or earlier. Upgrade to 4.6.4 to mitigate the risk.
Upgrade the plugin to version 4.6.4 or later. Consider a WAF rule as a temporary workaround if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.