WooCommerce Product Table Lite <= 3.8.6 - Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting
Description
The WooCommerce Product Table Lite plugin <=3.8.6 allows unauthenticated arbitrary shortcode execution and reflected XSS via the 'id' parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The WooCommerce Product Table Lite plugin <=3.8.6 allows unauthenticated arbitrary shortcode execution and reflected XSS via the 'id' parameter.
Vulnerability
The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution and reflected cross-site scripting (XSS) in all versions up to and including 3.8.6. The vulnerability resides in the handling of the id parameter, which is passed to do_shortcode() without proper validation [1]. This allows an attacker to inject arbitrary shortcodes or malicious scripts via the same parameter. The affected file is main.php [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by crafting a URL containing a malicious shortcode or XSS payload in the id parameter. No authentication or special privileges are required. The attacker simply needs to trick a user into visiting the crafted URL or, in the case of shortcode execution, the shortcode is processed server-side when the vulnerable action is triggered.
Impact
Successful exploitation allows an attacker to execute arbitrary WordPress shortcodes, which can lead to various outcomes such as reading sensitive data, modifying content, or executing code if the shortcode permits. Additionally, reflected XSS can be used to steal session cookies, perform actions on behalf of the victim, or deface the site. The attacker gains the ability to perform actions with the privileges of the victim user, potentially escalating to full site compromise if an administrator is targeted.
Mitigation
The vulnerability is fixed in version 3.8.7 and later. Users are strongly advised to update to the latest version (5.0.5 as of the reference [2]) which includes the patch. No workarounds are available. The plugin is actively maintained, and the fix is included in the current release.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3<=3.8.6+ 1 more
- (no CPE)range: <=3.8.6
- (no CPE)range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the 'id' parameter in the wcpt_ajax() function allows arbitrary shortcode execution and reflected XSS."
Attack vector
An unauthenticated attacker can send a crafted AJAX request to the `wc_ajax_wcpt_ajax` or `wp_ajax_nopriv_wcpt_ajax` endpoints with a malicious `id` parameter. Because the `id` value is passed directly to `do_shortcode()` without validation, the attacker can execute arbitrary WordPress shortcodes, including built-in shortcodes that may perform sensitive actions. The same `id` parameter is also reflected in the response without escaping, enabling reflected Cross-Site Scripting (XSS) attacks [ref_id=1].
Affected code
The vulnerability resides in the `wcpt_ajax()` function in `main.php` (line 1778 in version 3.8.6). The function retrieves the `id` parameter from the request and passes it directly to `do_shortcode()` without sanitization, allowing arbitrary shortcode execution. The same `id` parameter is also echoed unsanitized, enabling reflected XSS.
What the fix does
The advisory states that the plugin fails to properly validate the `id` value before passing it to `do_shortcode()`. A proper fix would sanitize or validate the `id` parameter (e.g., casting to integer, as partially done with `(int) $_REQUEST['id']` but not applied before the shortcode execution) and escape the output to prevent XSS. The patch is not shown in the bundle, but the root cause is clear: the `id` parameter is used unsanitized in both `do_shortcode()` and the response output.
Preconditions
- networkThe attacker must be able to send HTTP requests to the WordPress site (no authentication required).
- configThe WooCommerce Product Table Lite plugin must be installed and active.
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.