The vulnerability is a PHP Object Injection flaw caused by the deserialization of untrusted data in the Product Table For WooCommerce plugin. By sending crafted serialized objects to the plugin, an attacker can manipulate object properties and execute arbitrary PHP code, potentially compromising the entire web application and its underlying server. This flaw is a classic case of insecure deserialization (CWE-502) and can lead to full system compromise.

The affected product is the WordPress plugin "Product Table For WooCommerce" supplied by acowebs. Versions from the earliest release up to and including 1.2.4 are vulnerable. WordPress sites that have installed any of these plugin versions are at risk.

The CVSS score of 8.8 indicates a high severity vulnerability with significant impact. The EPSS score is reported to be below 1%, implying a low current exploitation probability, yet the existence of an untrusted deserialization vector means an attacker can craft the payload easily. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely exploit this by submitting a malicious serialized object via a crafted HTTP request or form that the plugin processes, potentially requiring no authentication if the plugin accepts input from any source. Given the nature of the flaw, successful exploitation would grant full remote code execution on the web server.