Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable DOM XSS needs no privileges but requires victim interaction (UI:R), executes in another security context (S:C), with limited C/I/A impact typical of client-side script injection.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows DOM-Based XSS.This issue affects Active Products Tables for WooCommerce: from n/a through <= 1.1.0.
Articles & Coverage 1
AnalysisAI
DOM-based cross-site scripting affects the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (slug profit-products-tables-for-woocommerce) in all versions through 1.1.0, letting a remote attacker deliver crafted input that is unsafely written into the DOM and executed as script in a victim's browser. Because the CVSS scope is changed (S:C) and no authentication is required (PR:N), successful exploitation can affect resources beyond the vulnerable component, though it requires the victim to interact with an attacker-influenced page or link (UI:R). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target site to be running the Active Products Tables for WooCommerce plugin at version 1.1.0 or earlier on a WordPress/WooCommerce installation, and requires victim interaction (UI:R) - the victim must load or click an attacker-controlled page, link, or input that reaches the plugin's DOM-based rendering sink. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 base score is 7.1 (High) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L: network-reachable, low complexity, no privileges, but requiring user interaction, with low confidentiality/integrity/availability impact amplified by a changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or storefront input containing a malicious script payload that the plugin's client-side table renderer writes into the page DOM without sanitization, then entices a shopper or store administrator to open it (UI:R). When the victim loads the page, the script executes in their browser session, allowing session token theft, defacement, or actions on the victim's behalf; with scope change, impact can reach beyond the plugin's context. … |
| Remediation | No fixed version is stated in the provided data, so no vendor-released patch is identified at time of analysis; monitor the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/profit-products-tables-for-woocommerce/vulnerability/wordpress-active-products-tables-for-woocommerce-plugin-1-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve) and the WordPress plugin repository for a release above 1.1.0 and upgrade as soon as it ships. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all WooCommerce installations to identify deployments of the 'Active Products Tables for WooCommerce' plugin (slug: profit-products-tables-for-woocommerce, versions ≤1.1.0) and document risk tier by exposure level. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43481