CVE-2025-0864
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform reflected cross-site scripting (XSS) attacks via the 'shortcodes_set' parameter in the Active Products Tables for WooCommerce WordPress plugin. Attackers can inject malicious scripts that execute in victims' browsers when they click specially crafted links. All WordPress sites using this plugin up to version 1.0.6.6 are affected.
💻 Affected Systems
- Active Products Tables for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on victim browsers.
Likely Case
Attackers will use this for session hijacking, credential theft, or delivering phishing pages to targeted users.
If Mitigated
With proper web application firewalls and browser security controls, impact is limited to individual user sessions rather than server compromise.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly weaponized. Attack requires user interaction (clicking malicious link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.0.6.6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Active Products Tables for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rule
allBlock requests containing malicious script patterns in the shortcodes_set parameter
Disable Plugin
linuxTemporarily disable the plugin until patched
wp plugin deactivate profit-products-tables-for-woocommerce
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Deploy a web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin panel under Plugins → Installed PluginsCheck Version:
wp plugin get profit-products-tables-for-woocommerce --field=versionVerify Fix Applied:
Verify plugin version is greater than 1.0.6.6 and test parameter with basic XSS payloads📡 Detection & Monitoring
Log Indicators:
- HTTP requests with suspicious script patterns in shortcodes_set parameter
- Multiple failed XSS attempts from same IP
Network Indicators:
- Unusual GET requests with encoded script tags in parameters
- Traffic patterns matching reflected XSS exploitation
SIEM Query:
web.url:*shortcodes_set=* AND (web.url:*script* OR web.url:*javascript* OR web.url:*onerror*)🔗 References
- https://plugins.trac.wordpress.org/browser/profit-products-tables-for-woocommerce/trunk/index.php#L1624
- https://plugins.trac.wordpress.org/browser/profit-products-tables-for-woocommerce/trunk/index.php#L88
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3235888%40profit-products-tables-for-woocommerce&new=3235888%40profit-products-tables-for-woocommerce&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f93dcb51-1caf-4d63-a8f3-f6251dd0d19f?source=cve
