Description
The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to unauthorized filter calling due to insufficient restrictions on the get_smth() function in all versions up to, and including, 1.0.6.7. This makes it possible for unauthenticated attackers to call arbitrary WordPress filters with a single parameter.
Published: 2025-03-26
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Active Products Tables for WooCommerce plugin contains an insufficiently restricted function that allows callers to trigger any WordPress filter with a single parameter. This lack of authentication opens the door for unauthenticated attackers to invoke arbitrary filters, potentially executing arbitrary PHP code or modifying site behavior. The weakness is a classic case of improper input validation, identified as CWE-20. The impact of a successful exploitation episode could be full control over the affected WordPress site, jeopardizing confidentiality, integrity and availability.

Affected Systems

The vulnerability affects the realmag777 Active Products Tables for WooCommerce – Use constructor to create tables plugin for WordPress, specifically all releases through 1.0.6.7. Users who have not upgraded beyond this version are at risk.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, while the EPSS score of less than 1% shows a very low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog, suggesting no documented exploits exist yet, but the nature of the flaw allows attackers to conduct arbitrary filter calls remotely, which could be leveraged to execute remote code if malicious filters are present or injected.

Generated by OpenCVE AI on April 22, 2026 at 01:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Active Products Tables for WooCommerce plugin to any release newer than 1.0.6.7, which removes the unauthenticated filter invocation flaw.
  • If an immediate upgrade is not feasible, disable or remove the vulnerable get_smth() function from the plugin’s code to block unauthenticated filter calls until a patch is applied.
  • As a temporary measure, consider disabling the plugin entirely on production servers until a corrective update is deployed.

Generated by OpenCVE AI on April 22, 2026 at 01:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8114 The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to unauthorized filter calling due to insufficient restrictions on the get_smth() function in all versions up to, and including, 1.0.6.7. This makes it possible for unauthenticated attackers to call arbitrary WordPress filters with a single parameter.
History

Wed, 26 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 26 Mar 2025 08:30:00 +0000

Type Values Removed Values Added
Description The Active Products Tables for WooCommerce. Use constructor to create tables plugin for WordPress is vulnerable to unauthorized filter calling due to insufficient restrictions on the get_smth() function in all versions up to, and including, 1.0.6.7. This makes it possible for unauthenticated attackers to call arbitrary WordPress filters with a single parameter.
Title Active Products Tables for WooCommerce <= 1.0.6.7 - Unauthenticated Arbitrary Filter Call
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:49.511Z

Reserved: 2025-02-20T19:48:58.712Z

Link: CVE-2025-1514

cve-icon Vulnrichment

Updated: 2025-03-26T14:12:13.405Z

cve-icon NVD

Status : Deferred

Published: 2025-03-26T09:15:15.950

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:00:05Z

Weaknesses
  • CWE-20

    Improper Input Validation