プラットフォーム
wordpress
コンポーネント
wc-product-table-lite
修正版
3.8.7
CVE-2024-10899 describes a Cross-Site Scripting (XSS) vulnerability within the WooCommerce Product Table Lite plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to malicious code injection and compromise of the website. The vulnerability impacts versions of the plugin up to and including 3.8.6, and a patch is available from the vendor.
The primary impact of CVE-2024-10899 is the ability for an attacker to inject and execute arbitrary shortcodes. This can be leveraged to inject malicious JavaScript code into the website, which could then be executed in the browsers of legitimate users. Successful exploitation could lead to account takeover, data theft (including sensitive user information), and defacement of the website. The 'id' parameter's vulnerability to Reflected Cross-Site Scripting further expands the attack surface, allowing attackers to craft malicious URLs that, when visited, execute the injected code. This vulnerability is particularly concerning given the widespread use of WordPress and WooCommerce plugins.
CVE-2024-10899 was publicly disclosed on November 20, 2024. While no active exploitation campaigns have been definitively confirmed, the ease of exploitation and the potential impact make it a high-priority vulnerability. Public proof-of-concept (PoC) code is likely to emerge, increasing the risk of widespread exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Websites utilizing the WooCommerce Product Table Lite plugin, particularly those running versions 3.8.6 or earlier, are at risk. Shared hosting environments where plugin updates are not managed by the website owner are especially vulnerable. Sites with weak security configurations or those lacking regular security scans are also at increased risk.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/product-table-lite/• wordpress / composer / npm:
wp plugin list --status=all | grep 'product-table-lite'• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-content/plugins/product-table-lite/ | grep -i 'X-Powered-By'disclosure
エクスプロイト状況
EPSS
0.71% (72% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-10899 is to upgrade the WooCommerce Product Table Lite plugin to a version patched against this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests containing potentially malicious shortcodes. Additionally, carefully review and sanitize all user inputs to prevent the injection of shortcode commands. Regularly scan your WordPress installation for vulnerable plugins using security scanning tools.
Actualice el plugin WooCommerce Product Table Lite a la última versión disponible. La vulnerabilidad permite la ejecución de shortcodes arbitrarios y XSS, por lo que es crucial actualizar para proteger su sitio web.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-10899 is a Cross-Site Scripting vulnerability affecting WooCommerce Product Table Lite versions up to 3.8.6, allowing attackers to execute arbitrary shortcodes.
Yes, if you are using WooCommerce Product Table Lite version 3.8.6 or earlier, you are vulnerable to this XSS attack.
Upgrade WooCommerce Product Table Lite to the latest version, which includes a patch for this vulnerability. Consider WAF rules as an interim measure.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation makes it a high-priority risk.
Refer to the WooCommerce Product Table Lite plugin documentation and website for the latest security advisories and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。