Skip to main content

WooCommerce Product Table Lite CVE-2026-34902

| EUVDEUVD-2026-36923 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-4q76-h2ch-v726
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable reflected XSS requiring victim click (UI:R); script executes in WordPress origin yielding scope change with limited C/I/A impact on the user session.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:35 vuln.today
CVE Published
Jun 15, 2026 - 20:17 cve.org
HIGH 7.1

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions.

AnalysisAI

Reflected/stored cross-site scripting in the WooCommerce Product Table Lite WordPress plugin (versions ≤ 4.6.3) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of an authenticated WordPress user, including site administrators. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated attack surface combined with WordPress's broad install base makes this a meaningful risk for sites running the plugin.

Technical ContextAI

The flaw is a CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) defect in the WooCommerce Product Table Lite plugin, a WordPress extension that renders product listings as sortable/filterable tables for WooCommerce stores. The CPE cpe:2.3:a:wc_product_table:woocommerce_product_table_lite identifies the WC Product Table vendor's Lite edition as the affected component. XSS in this class of plugin typically arises because user-controllable parameters (search filters, query strings, sort/column inputs) are reflected into rendered HTML or attribute contexts without proper output encoding, allowing a payload to break out of the intended context and execute as script in the visitor's browser session within the WordPress site's origin.

RemediationAI

Upstream fix availability is not independently confirmed from the provided data; no specific fixed version is named in the input, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wc-product-table-lite/vulnerability/wordpress-woocommerce-product-table-lite-plugin-4-6-3-cross-site-scripting-xss-vulnerability) and upgrade WooCommerce Product Table Lite to the latest plugin release above 4.6.3 as soon as the vendor publishes it. Until a patched version is installed, consider deactivating and removing the plugin (trade-off: loss of product-table functionality on storefronts), restricting access to pages that render the product table via WAF rules that strip or reject suspicious script-like payloads in query parameters (trade-off: potential false positives on legitimate filter strings), enabling a strict Content Security Policy that disallows inline scripts on storefront pages (trade-off: may break other plugins/themes relying on inline JS), and using a virtual-patching service such as Patchstack or Wordfence to block known exploit signatures.

Share

CVE-2026-34902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy