CVE-2024-13472 Overview
CVE-2024-13472 affects the WooCommerce Product Table Lite plugin for WordPress in all versions up to and including 3.9.4. The plugin fails to validate the sc_attrs parameter before passing it to the do_shortcode function. Unauthenticated attackers can execute arbitrary WordPress shortcodes through this flaw. The same parameter is also vulnerable to Reflected Cross-Site Scripting (XSS), allowing attackers to inject malicious scripts that execute in a victim's browser.
Critical Impact
Unauthenticated remote attackers can execute arbitrary shortcodes and trigger reflected XSS against site visitors and administrators.
Affected Products
- WooCommerce Product Table Lite plugin for WordPress
- All versions up to and including 3.9.4
- WordPress sites running the vulnerable plugin with WooCommerce
Discovery Timeline
- 2025-01-31 - CVE-2024-13472 published to NVD
- 2025-02-11 - Last updated in NVD database
Technical Details for CVE-2024-13472
Vulnerability Analysis
The vulnerability resides in the WooCommerce Product Table Lite plugin's handler that processes the sc_attrs parameter. The plugin accepts user-supplied input through this parameter and passes it directly to WordPress's do_shortcode function without proper validation or sanitization. This behavior introduces two distinct attack outcomes from a single flaw.
First, attackers can execute any WordPress shortcode available on the site, including shortcodes that expose sensitive data or trigger privileged actions. Second, the same unsanitized parameter is reflected back to the response, enabling Reflected Cross-Site Scripting against any user who clicks a crafted link. The flaw is categorized under CWE-94: Improper Control of Generation of Code.
Root Cause
The root cause is missing input validation before invoking do_shortcode. The plugin trusts the value of sc_attrs and passes it through to the shortcode parser. WordPress shortcodes are designed for trusted administrator use and were never intended to accept attacker-controlled input from unauthenticated HTTP requests.
Attack Vector
An unauthenticated attacker sends a crafted HTTP request containing a malicious payload in the sc_attrs parameter. The server processes the payload through do_shortcode, executing whichever shortcodes the attacker specified. For the XSS variant, the attacker delivers a phishing link to a victim, and the reflected payload executes JavaScript in the victim's browser session. No authentication or user interaction beyond clicking a link is required. See the Wordfence Vulnerability Report and the WordPress Plugin Code Review for technical references.
Detection Methods for CVE-2024-13472
Indicators of Compromise
- HTTP requests containing the sc_attrs parameter from unauthenticated sources
- Web server logs showing requests with shortcode syntax such as [shortcode_name] inside query parameters
- Reflected payloads containing <script>, onerror=, or javascript: strings in sc_attrs values
- Unexpected execution of administrative or data-exposing shortcodes in plugin logs
Detection Strategies
- Inspect WordPress access logs for unauthenticated requests targeting endpoints used by the WooCommerce Product Table Lite plugin
- Deploy Web Application Firewall (WAF) rules that flag shortcode-like syntax or HTML/JavaScript in sc_attrs parameter values
- Monitor for outbound HTTP calls or database queries that correlate with shortcode execution from anonymous sessions
Monitoring Recommendations
- Enable verbose logging on WordPress hosts and forward logs to a centralized SIEM for correlation
- Alert on installed plugin version 3.9.4 or earlier of WooCommerce Product Table Lite across managed sites
- Track referrer URLs and user-agent patterns associated with reflected XSS exploitation attempts
How to Mitigate CVE-2024-13472
Immediate Actions Required
- Update the WooCommerce Product Table Lite plugin to a version newer than 3.9.4 immediately
- Audit WordPress administrator accounts and active sessions for signs of XSS-driven compromise
- Apply WAF rules to block requests containing shortcode syntax or HTML tags in the sc_attrs parameter until patching is complete
Patch Information
The vendor addressed the issue in the plugin code as documented in the WordPress Change Log Entry. Site operators should update via the WordPress plugin dashboard or by downloading the latest release from the WordPress plugin page.
Workarounds
- Deactivate the WooCommerce Product Table Lite plugin until the patched version can be installed
- Restrict access to the plugin's endpoints using server-level rules where feasible
- Configure a WAF to strip or reject any sc_attrs parameter values containing brackets, angle brackets, or shortcode names
# Example WAF rule to block shortcode syntax in sc_attrs parameter
SecRule ARGS:sc_attrs "@rx (\[[a-zA-Z_]+|<script|javascript:|onerror=)" \
"id:1004713,phase:2,deny,status:403,log,\
msg:'CVE-2024-13472 - Shortcode injection or XSS attempt in sc_attrs'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
