CVE-2024-10168 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2024-10168?

CVE-2024-10168 has a CVSS score of 6.4 (MEDIUM). This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages via the woot_button shortcode. The scripts execute when other users view the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using the Active Products Tables for WooCommerce plugin versions up to 1.0.6.4 are affected.

📋 TL;DR

This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into web pages via the woot_button shortcode. The scripts execute when other users view the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using the Active Products Tables for WooCommerce plugin versions up to 1.0.6.4 are affected.

💻 Affected Systems

Products:

Active Products Tables for WooCommerce WordPress plugin

Versions: All versions up to and including 1.0.6.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with contributor role or higher. WooCommerce must be installed but doesn't need to be active.

📦 What is this software?

Woot by Pluginus

View all CVEs affecting Woot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator credentials, take over the WordPress site, install backdoors, and compromise visitor data through malicious scripts.

🟠

Likely Case

Attackers deface pages, redirect users to malicious sites, or steal session cookies from logged-in users.

🟢

If Mitigated

With proper user role management and input validation, impact is limited to minor defacement or script injection that's quickly detected.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires contributor-level access but is technically simple once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.6.5

Vendor Advisory: https://wordpress.org/plugins/profit-products-tables-for-woocommerce/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Active Products Tables for WooCommerce'. 4. Click 'Update Now' if available, or manually update to version 1.0.6.5+. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable vulnerable shortcode

all

Remove or disable the woot_button shortcode functionality

Add to theme's functions.php: remove_shortcode('woot_button');

Restrict user roles

all

Temporarily remove contributor posting capabilities

Use WordPress role editor plugin or add: remove_cap('contributor', 'publish_posts');

🧯 If You Can't Patch

Implement strict input validation and output escaping for all shortcode attributes
Apply web application firewall rules to block XSS payloads in POST/GET requests

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin → Plugins → Active Products Tables for WooCommerce. If version is 1.0.6.4 or lower, you're vulnerable.

Check Version:

wp plugin list --name='Active Products Tables for WooCommerce' --field=version

Verify Fix Applied:

Confirm plugin version is 1.0.6.5 or higher and test woot_button shortcode with script payloads that should now be sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to wp-admin with script tags in parameters
Multiple page edits by contributor users in short timeframe

Network Indicators:

Outbound connections to suspicious domains from your WordPress site
Unexpected JavaScript includes in page responses

SIEM Query:

source="wordpress" AND ("woot_button" OR "script" OR "onerror") AND status=200

📊 Metadata

CVE ID: CVE-2024-10168

CVSS v3 Score: 6.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: November 6, 2024

Last Updated: November 8, 2024

🔗 References

https://plugins.trac.wordpress.org/changeset/3182136/ Product
https://wordpress.org/plugins/profit-products-tables-for-woocommerce/#developers Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/4a13b13e-72d3-43c9-b5ec-d499f3b22091?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10168, you might also want to check these: