Cyber Posture

CVE-2025-24596

Medium

Published: 24 January 2025

Published
24 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0027 50.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24596 is a medium-severity Missing Authorization (CWE-862) vulnerability in Wcproducttable Woocommerce Product Table. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly addressing the missing authorization checks in the WooCommerce Product Table Lite plugin that allow unauthenticated modifications.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and remediation of flaws like the broken access control in plugin versions <=3.8.7, as recommended by updating to a patched version.

AC-6 Least Privilege partial match
prevent

Employs least privilege to restrict unauthenticated attackers from performing unauthorized modifications enabled by the plugin's access control failure.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote unauthenticated exploitation of the web application, mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Missing Authorization vulnerability in WC Product Table WooCommerce Product Table Lite wc-product-table-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Product Table Lite: from n/a through <= 3.8.7.

Deeper analysisAI

CVE-2025-24596 is a missing authorization vulnerability, mapped to CWE-862 (Missing Authorization), in the WC Product Table WooCommerce Product Table Lite WordPress plugin (wc-product-table-lite). It enables exploiting incorrectly configured access control security levels and affects all versions from n/a through 3.8.7. The vulnerability received a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, and low integrity impact.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows limited integrity impacts, such as unauthorized modifications due to broken access controls in the plugin.

The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wc-product-table-lite/vulnerability/wordpress-woocommerce-product-table-lite-plugin-3-8-7-broken-access-control-vulnerability?_s_id=cve) documents this issue in WooCommerce Product Table Lite version 3.8.7, recommending mitigation by updating to a version beyond 3.8.7 where the access control flaw is addressed.

Details

CWE(s)
CWE-862

Affected Products

wcproducttable
woocommerce product table
≤ 3.9.0

CVEs Like This One

CVE-2024-13472Same product: Wcproducttable Woocommerce Product Table
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-14457Same product class: WordPress / CMS plugin
CVE-2024-10591Same product class: WordPress / CMS plugin
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2025-1441Same product class: WordPress / CMS plugin
CVE-2024-12129Same product class: WordPress / CMS plugin
CVE-2024-13904Same product class: WordPress / CMS plugin
CVE-2024-13558Same product class: WordPress / CMS plugin
CVE-2025-7360Same product class: WordPress / CMS plugin

References