Impact
An unauthenticated Cross Site Scripting (XSS) flaw exists in the WordPress WooCommerce Product Table Lite plugin through version 4.6.3. The vulnerability allows an attacker to insert and execute arbitrary JavaScript in a victim’s browser when the vulnerable product table page is viewed. The injected code can lead to malicious actions such as forging requests, stealing session cookies, and defacing content. The weakness is an input validation flaw (CWE-79).
Affected Systems
The vulnerability affects sites that have the WooCommerce Product Table Lite plugin version 4.6.3 or earlier. The plugin is commonly used to display products in a table format on e‑commerce WordPress installations.
Risk and Exploitability
The vulnerability has a CVSS base score of 7.1, indicating a medium to high risk to confidentiality, integrity and availability. The EPSS score of less than 1% suggests a very low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalogue. The attack vector is inferred to be through any unauthenticated user who can access a page rendering the product table, meaning public visitors can trigger the XSS by visiting the affected page.
OpenCVE Enrichment