CVE-2026-32450

Vulnerability

Overview The vulnerability is a DOM-Based Cross-Site Scripting (XSS) in the Active Products Tables for WooCommerce plugin (versions up to and including 1.0.7). It stems from improper neutralization of user-supplied input during web page generation, which fails to sanitize or escape data before embedding it into the DOM [1].

Exploitation

Prerequisites Exploitation requires a privileged user to perform an action, such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form. No direct unauthenticated access is sufficient; the attacker must trick a logged-in user with appropriate roles into triggering the XSS payload [1].

Impact

Successful exploitation allows an attacker to inject arbitrary scripts (e.g., redirects, advertisements, or other HTML/JavaScript payloads) that execute in the context of the victim's browser. This can lead to data theft, defacement, or further compromise of the affected WordPress site [1].

Remediation

The vendor has released version 1.0.8 which addresses the issue. Users are strongly advised to update immediately. Those unable to update should consult their hosting provider or web developer for alternative mitigations [1].