This vulnerability stems from the Product Table For WooCommerce plugin failing to encode or escape user supplied data before it is written to the database and later displayed in product tables. An attacker that can inject content into that data channel can cause arbitrary HTML or JavaScript to be sent to every user who views the affected table. The injected payload runs in the victim’s browser and can steal session cookies, compromise accounts, redirect traffic, or deliver malicious code, thereby threatening the confidentiality and integrity of site traffic.

The flaw resides in acowebs Product Table For WooCommerce for all releases through version 1.2.3. Any WordPress site running any of those versions with the plugin active and accepting user input is potentially vulnerable.

The CVSS score of 6.5 denotes moderate severity while the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker must be able to supply malicious content through the plugin’s input interface, which typically requires privileged or administrative level access. Once injected, the stored XSS is rendered to any visitor of the table, but the attack surface is limited to browsers loading the compromised page.