Cyber Resilience

CVE-2025-24596

Medium

Published: 24 January 2025

Published
24 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0027 51.0th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24596 is a medium-severity Missing Authorization (CWE-862) vulnerability in Wcproducttable Woocommerce Product Table. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24596 is a missing authorization vulnerability, mapped to CWE-862 (Missing Authorization), in the WC Product Table WooCommerce Product Table Lite WordPress plugin (wc-product-table-lite). It enables exploiting incorrectly configured access control security levels and affects all versions from n/a through 3.8.7. The vulnerability received a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, and low integrity impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows limited integrity impacts, such as unauthorized modifications due to broken access controls in the plugin.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wc-product-table-lite/vulnerability/wordpress-woocommerce-product-table-lite-plugin-3-8-7-broken-access-control-vulnerability?_s_id=cve) documents this issue in WooCommerce Product Table Lite version 3.8.7, recommending mitigation by updating to a version beyond 3.8.7 where the access control flaw is addressed.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in WC Product Table WooCommerce Product Table Lite wc-product-table-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Product Table Lite: from n/a through <= 3.8.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote unauthenticated exploitation of the web application, mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13472Same product: Wcproducttable Woocommerce Product Table
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2024-10591Same product class: WordPress / CMS plugin
CVE-2025-14457Same product class: WordPress / CMS plugin
CVE-2024-12129Same product class: WordPress / CMS plugin
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-7360Same product class: WordPress / CMS plugin
CVE-2024-13641Same product class: WordPress / CMS plugin
CVE-2024-13558Same product class: WordPress / CMS plugin

Affected Assets

wcproducttable
woocommerce product table
≤ 3.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing authorization checks in the WooCommerce Product Table Lite plugin that allow unauthenticated modifications.

prevent

Requires timely identification, reporting, and remediation of flaws like the broken access control in plugin versions <=3.8.7, as recommended by updating to a patched version.

prevent

Employs least privilege to restrict unauthenticated attackers from performing unauthorized modifications enabled by the plugin's access control failure.

References