CVE-2024-10959

The Active Products Tables for WooCommerce plugin (profit-products-tables-for-woocommerce) uses the woot_get_smth AJAX action to fetch table data. This action calls do_shortcode() on user-supplied input without validating that the user has the required permissions or that the shortcode is safe. As a result, any unauthenticated visitor can supply arbitrary shortcode syntax through the AJAX request, and the server will execute it [1].

To exploit this, an attacker sends a crafted POST request to the AJAX endpoint with the action parameter set to woot_get_smth and the shortcode in the corresponding data field. No authentication is required, and the attacker does not need to be logged into the WordPress site. The plugin fails to implement a nonce check or capability verification before processing the shortcode [1].

Successful exploitation allows an attacker to execute any WordPress shortcode, including those defined by other plugins and themes. This includes sensitive shortcodes that may create new administrative users, execute arbitrary SQL queries, read private files, or redirect visitors to malicious sites, depending on the plugins installed on the target WordPress installation. The severity is rated High (CVSS 7.3) due to the lack of authentication requirements and potential for full site compromise [1].

The vendor has not released a patched version for this vulnerability as of December 2024; users are advised to disable the plugin or restrict access to the AJAX endpoint until a security update becomes available [1].