Description
The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Published: 2025-12-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting that can allow attackers to inject arbitrary scripts into webpages viewed by users, potentially leading to cookie theft or defacement.
Action: Patch Immediately
AI Analysis

Impact

The Product Table for WooCommerce plugin is vulnerable to reflected cross‑site scripting through the search_key parameter. Because the plugin does not perform sufficient input sanitization or output escaping, an unauthenticated attacker can supply malicious scripts as part of the search_key value. When a user follows a crafted link that includes the unfiltered search_key, the script is rendered in their browser, generating the opportunity for client‑side compromise such as cookie theft, session hijacking or malicious page alteration. The severity is medium, with a CVSS score of 6.1, and the impact can be significant if an attacker successfully tricked a target user into clicking the link.

Affected Systems

All instances of the Product Table for WooCommerce plugin by codersaiful that are at version 5.0.8 or earlier are affected. The vulnerability persists in any WordPress installation where this plugin is active and the search_key parameter is utilized for product filtering. No higher or lower versions are known to be impacted.

Risk and Exploitability

Because the vulnerability requires user interaction – specifically, clicking a crafted link – it is less likely to be exploited in widespread campaigns. This is reflected in an EPSS score of less than 1 % and the fact that the issue is not listed in the CISA KEV catalog. The CVSS score of 6.1 categorizes it as medium severity, indicating that while the impact can be non‑trivial, accounts for exploiting it rely on social engineering or user victimization.

Generated by OpenCVE AI on April 22, 2026 at 11:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Product Table for WooCommerce plugin to version 5.0.9 or later, where the input sanitization for search_key has been fixed.
  • If an upgrade is not immediately possible, configure the site to strip or block the search_key query parameter from URLs or implement server‑side filtering that safely encodes the value before output.
  • Deploy a Web Application Firewall or security plugin that detects and blocks reflected cross‑site scripting attempts, providing an additional layer of protection while a permanent fix is applied.

Generated by OpenCVE AI on April 22, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Dec 2025 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sun, 21 Dec 2025 04:00:00 +0000

Type Values Removed Values Added
Description The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Title Product Table for WooCommerce <= 5.0.8 - Reflected Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:57.358Z

Reserved: 2025-10-28T14:08:43.558Z

Link: CVE-2025-12398

cve-icon Vulnrichment

Updated: 2025-12-22T16:38:33.330Z

cve-icon NVD

Status : Deferred

Published: 2025-12-21T04:16:03.103

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses