CVE-2024-6458
📋 TL;DR
This vulnerability in WooCommerce Product Table Lite plugin allows authenticated users with subscriber-level access or higher to modify arbitrary post titles without proper authorization. Missing sanitization can lead to stored cross-site scripting (XSS) when admins view the modified content. All WordPress sites using this plugin up to version 3.5.1 are affected.
💻 Affected Systems
- WooCommerce Product Table Lite
📦 What is this software?
Woocommerce Product Table by Wcproducttable
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious JavaScript that executes in admin sessions, potentially leading to full site compromise, data theft, or admin account takeover.
Likely Case
Unauthorized content modification leading to defacement, SEO spam injection, or limited XSS attacks against administrators.
If Mitigated
With proper user role restrictions and input validation, impact is limited to minor content manipulation by authorized users.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple. The vulnerability is publicly documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.2 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WooCommerce Product Table Lite'. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.5.2+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate wc-product-table-lite
User Role Restriction
linuxTemporarily restrict subscriber-level users from accessing the site
wp user list --role=subscriber --field=ID | xargs wp user set-role {ID} none
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to wcpt_presets__duplicate_preset_to_table function
- Apply principle of least privilege: review and minimize user accounts with subscriber or higher roles
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins or run: wp plugin get wc-product-table-lite --field=versionCheck Version:
wp plugin get wc-product-table-lite --field=versionVerify Fix Applied:
Confirm version is 3.5.2 or higher and test that subscriber users cannot modify post titles via the plugin interface📡 Detection & Monitoring
Log Indicators:
- POST requests to admin-ajax.php with action=wcpt_presets__duplicate_preset_to_table from non-admin users
- Unexpected post_title modifications in WordPress database
Network Indicators:
- HTTP requests containing wcpt_presets__duplicate_preset_to_table parameter from unauthorized IPs
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "wcpt_presets__duplicate_preset_to_table" AND NOT user_role="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/wc-product-table-lite/trunk/presets/presets.php#L120
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3125858%40wc-product-table-lite&new=3125858%40wc-product-table-lite&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e06fb465-4c72-49a8-af35-ff6d629ff9a0?source=cve
- https://plugins.trac.wordpress.org/browser/wc-product-table-lite/trunk/presets/presets.php#L120
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3125858%40wc-product-table-lite&new=3125858%40wc-product-table-lite&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e06fb465-4c72-49a8-af35-ff6d629ff9a0?source=cve
