WooCommerce Product Table Lite <= 3.9.4 - Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting

Vulnerability

The WooCommerce Product Table Lite plugin for WordPress, in all versions up to and including 3.9.4, contains a vulnerability that allows unauthenticated arbitrary shortcode execution. The sc_attrs parameter is insufficiently validated before being passed to the do_shortcode WordPress function, making it possible to execute any built-in or registered shortcode. The same parameter also suffers from reflected Cross-Site Scripting (XSS) [1].

Exploitation

An unauthenticated attacker can send a crafted request containing a malicious value in the sc_attrs parameter. No special privileges or user interaction are required. The attacker must simply entice a user to visit a malicious URL if targeting XSS, or perform the shortcode execution directly via an HTTP request that triggers the vulnerable action.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary shortcodes within the WordPress site context. This can lead to various outcomes, including content injection, privilege escalation if privilege-related shortcodes exist, or information disclosure. The reflected XSS variant could allow an attacker to inject arbitrary web scripts into pages, which will execute in the context of a victim's browser, potentially leading to session hijacking or credential theft.

Mitigation

The vendor published version 5.0.5, which is listed as the latest version [1], but the vulnerability is explicitly described for versions up to and including 3.9.4. The vendor's advisory or changelog should be consulted to confirm which version contains the fix. As no explicit patched version number is provided in the available references, users should upgrade to the latest version (5.0.5 or higher) as reported by the plugin repository [1]. No official workaround is documented. The vulnerability is not known to be listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.