WordPress Plugin Vulnerabilities

WooCommerce Product Table Lite < 3.8.6 - Missing Authorization to (Subscriber+) Stored Cross-Site Scripting

Description

The WooCommerce Product Table Lite plugin for WordPress is vulnerable to unauthorized post title modification due to a missing capability check on the wcpt_presets__duplicate_preset_to_table function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers with subscriber access and above to change titles of arbitrary posts. Missing sanitization can lead to Stored Cross-Site Scripting when viewed by an admin via the WooCommerce Product Table.

Affects Plugins

Plugin icon
wc-product-table-lite
Fixed in 3.8.6

References

CVE
CVE-2024-6458
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e06fb465-4c72-49a8-af35-ff6d629ff9a0

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
84c90cca-9212-476b-a315-017b1a8256bd

Timeline

Publicly Published
2024-07-26 (about 1 year ago)
Added
2024-07-26 (about 1 year ago)
Last Updated
2024-07-27 (about 1 year ago)

Other

Published
Title
Published
2025-12-28
Title
HR Management Lite < 3.8 - Missing Authorization
Published
2026-01-08
Title
Felan Framework <= 1.1.3 - Missing Authorization
Published
2025-04-17
Title
Eduma < 5.6.5 - Missing Authorization
Published
2024-12-19
Title
Userpro <= 5.1.9 - Missing Authorization
Published
2024-06-07
Title
WP Reset < 2.03 - Missing Authorization to License Key Modification