Cyber Resilience

CVE-2024-13472

High

Published: 31 January 2025

Published
31 January 2025
Modified
11 February 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0078 74.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13472 is a high-severity Code Injection (CWE-94) vulnerability in Wcproducttable Woocommerce Product Table. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13472 affects the WooCommerce Product Table Lite plugin for WordPress in all versions up to and including 3.9.4. The vulnerability enables arbitrary shortcode execution due to insufficient validation of the 'sc_attrs' parameter before passing it to the do_shortcode function. Additionally, the same parameter is susceptible to Reflected Cross-Site Scripting (XSS). It has been assigned a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWE-94 (Improper Control of Generation of Code).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity by sending crafted requests containing malicious shortcodes or XSS payloads in the 'sc_attrs' parameter. Successful exploitation of arbitrary shortcode execution could allow attackers to run PHP code or other shortcodes available on the target site, potentially leading to site compromise depending on the site's configuration and installed plugins. The Reflected XSS component enables theft of session cookies or other client-side attacks against site visitors.

Advisories from sources like Wordfence recommend updating to a patched version of the plugin, as indicated by the changeset 3231930 in the plugin's Trac repository, which addresses the validation issue around line 1843 in main.php. Security practitioners should review the plugin's developers page on WordPress.org for the latest stable release and apply updates immediately on affected sites.

EU & UK References

Vulnerability details

The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.9.4. This is due to the software allowing users to execute an action that does not properly validate…

more

a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. The same 'sc_attrs' parameter is vulnerable to Reflected Cross-Site Scripting as well.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Direct remote exploitation of public-facing WordPress plugin enabling arbitrary shortcode/PHP execution via unsanitized parameter.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24596Same product: Wcproducttable Woocommerce Product Table
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2025-2485Same product class: WordPress / CMS plugin
CVE-2026-27577Shared CWE-94
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2024-54756Shared CWE-94
CVE-2024-21760Shared CWE-94
CVE-2024-55028Shared CWE-94
CVE-2025-2303Shared CWE-94
CVE-2025-24618Same product class: WordPress / CMS plugin

Affected Assets

wcproducttable
woocommerce product table
≤ 3.9.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the core vulnerability by requiring validation of the 'sc_attrs' parameter to prevent arbitrary shortcode execution and reflected XSS.

prevent

Ensures timely identification, reporting, and patching of the plugin flaw as recommended in advisories to eliminate the improper input validation issue.

prevent

Mitigates the reflected XSS aspect by filtering malicious payloads in outputs derived from the unvalidated 'sc_attrs' parameter.

References