Description
The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcodes_set' parameter in all versions up to, and including, 1.0.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-02-18
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross-Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability allows attackers to inject arbitrary scripts into pages served by WordPress sites that use the Active Products Tables for WooCommerce plugin. By supplying malicious content in the 'shortcodes_set' parameter, an unauthenticated user can cause an innocent visitor to execute scripts when they view a page containing the shortcode. This result is a classic reflected XSS that can compromise client-side data, facilitate phishing, or provide a foothold for further cookie-stealing attacks.

Affected Systems

The flaw affects the WordPress plugin RealMag777’s Active Products Tables for WooCommerce, versions up to and including 1.0.6.6. Targets are sites running any WordPress installation with the plugin installed and the shortcode active. The vulnerability is present in the plugin's source file referenced in the official WordPress repository.

Risk and Exploitability

The CVSS score of 6.1 classifies the vulnerability as medium severity, and the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. Because access requires an unauthenticated user to persuade another visitor to click a crafted link, the attack vector is user interaction – it is not remotely exploitable without human collaboration. The vulnerability is not listed in the CISA KEV catalog, so no known active exploits have been reported yet.

Generated by OpenCVE AI on April 21, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Active Products Tables for WooCommerce plugin to any version newer than 1.0.6.6 that addresses the XSS issue.
  • If an update is not yet available, disable or remove the shortcode that processes the 'shortcodes_set' parameter, or completely uninstall the plugin to eliminate the attack surface.
  • Add a strict Content Security Policy (CSP) header that blocks inline scripts on the affected pages to mitigate potential XSS payloads until the plugin issue is resolved.

Generated by OpenCVE AI on April 21, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-4809 The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcodes_set' parameter in all versions up to, and including, 1.0.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
History

Fri, 21 Feb 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Pluginus
Pluginus active Products Tables For Woocommerce
CPEs cpe:2.3:a:pluginus:active_products_tables_for_woocommerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Pluginus
Pluginus active Products Tables For Woocommerce

Tue, 18 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 18 Feb 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcodes_set' parameter in all versions up to, and including, 1.0.6.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Active Products Tables for WooCommerce. Use constructor to create tables <= 1.0.6.6 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Pluginus Active Products Tables For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:34:08.705Z

Reserved: 2025-01-29T21:28:02.044Z

Link: CVE-2025-0864

cve-icon Vulnrichment

Updated: 2025-02-18T15:20:01.755Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-18T08:15:10.723

Modified: 2025-02-21T15:32:38.470

Link: CVE-2025-0864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:30:06Z

Weaknesses