CVE-2024-6365: Product Table by WBW WordPress RCE Flaw

CVE-2024-6365 Overview

The Product Table by WBW plugin for WordPress contains a critical Remote Code Execution (RCE) vulnerability in all versions up to and including 2.0.1. The vulnerability exists in the saveCustomTitle function due to missing authorization checks and lack of sanitization of appended data in the languages/customTitle.php file. This security flaw allows unauthenticated attackers to execute arbitrary code on the server, potentially leading to complete site compromise.

Critical Impact
Unauthenticated attackers can achieve remote code execution on vulnerable WordPress installations, enabling complete server compromise, data theft, and further malicious activity without requiring any authentication.

Affected Products

Product Table by WBW plugin for WordPress versions up to and including 2.0.1
WordPress installations running vulnerable versions of the woo-product-tables plugin
WooCommerce sites utilizing the Product Table by WBW plugin

Discovery Timeline

2024-07-09 - CVE-2024-6365 published to NVD
2026-04-08 - Last updated in NVD database

Technical Details for CVE-2024-6365

Vulnerability Analysis

This vulnerability is classified as CWE-94 (Improper Control of Generation of Code), commonly known as Code Injection. The flaw allows attackers to inject and execute arbitrary code on the target server without authentication. The vulnerability stems from the saveCustomTitle function within the Product Table by WBW plugin, which processes user-supplied input without proper authorization verification or input sanitization before writing to the languages/customTitle.php file.

The attack is network-accessible and requires no special privileges, user interaction, or complex exploitation techniques. Successful exploitation grants attackers the ability to execute code with the permissions of the web server process, typically resulting in confidentiality, integrity, and availability impacts to the affected system.

Root Cause

The root cause of this vulnerability lies in two critical security failures within the saveCustomTitle function:

Missing Authorization: The function lacks proper capability checks or nonce verification, allowing any user—including unauthenticated visitors—to invoke the functionality.
Insufficient Input Sanitization: User-supplied data is appended directly to a PHP file (languages/customTitle.php) without proper sanitization or validation, enabling code injection attacks.

This combination of missing access controls and improper input handling creates a direct path for attackers to write arbitrary PHP code to the server and subsequently execute it.

Attack Vector

The vulnerability is exploited via network-based requests to the WordPress installation. An attacker can craft malicious HTTP requests targeting the saveCustomTitle function endpoint. Since no authentication is required, attackers can inject PHP code through the unsanitized input parameters. The injected code is written to the customTitle.php file, which can then be accessed to execute the attacker's payload.

The attack flow typically involves:

Sending a crafted request to the vulnerable endpoint with malicious PHP code
The plugin writes the unsanitized input to languages/customTitle.php
The attacker accesses the modified PHP file to trigger code execution
Arbitrary commands are executed with web server privileges

For detailed technical analysis, refer to the Wordfence Vulnerability Report and the WordPress Plugin Custom Title Script.

Detection Methods for CVE-2024-6365

Indicators of Compromise

Unexpected modifications to the languages/customTitle.php file within the woo-product-tables plugin directory
Suspicious HTTP POST requests targeting the saveCustomTitle function endpoint from unknown or external IP addresses
Presence of PHP web shells or encoded payloads in the plugin's language files
Unusual process spawning from the web server (e.g., php, wget, curl, bash child processes)

Detection Strategies

Monitor web server access logs for POST requests to the saveCustomTitle endpoint, particularly from unauthenticated sessions
Implement file integrity monitoring on the WordPress plugins directory, specifically the woo-product-tables/languages/ path
Deploy web application firewall (WAF) rules to detect and block code injection patterns in request payloads
Review PHP error logs for execution anomalies or syntax errors that may indicate injection attempts

Monitoring Recommendations

Enable real-time file change notifications for WordPress plugin directories
Configure SIEM alerts for web server process anomalies such as reverse shell indicators or outbound connections
Regularly audit installed WordPress plugins and their versions against known vulnerability databases
Implement endpoint detection capabilities to identify post-exploitation activity following successful RCE

How to Mitigate CVE-2024-6365

Immediate Actions Required

Update the Product Table by WBW plugin to version 2.0.2 or later immediately
If immediate update is not possible, deactivate and remove the woo-product-tables plugin until patching is complete
Review the languages/customTitle.php file for any unauthorized modifications or injected code
Conduct a full security audit of the affected WordPress installation to identify signs of compromise
Consider implementing a web application firewall to provide additional protection layer

Patch Information

The vulnerability has been addressed in the WordPress Plugin Changeset Update. Users should update to the patched version immediately through the WordPress admin dashboard or by manually downloading the latest plugin version from the WordPress plugin repository.

To verify successful patching, confirm the plugin version is 2.0.2 or higher in the WordPress admin panel under Plugins > Installed Plugins.

Workarounds

Temporarily deactivate the Product Table by WBW plugin until it can be updated to a patched version
Implement strict file permissions on the languages/ directory to prevent web server write access (may break functionality)
Deploy WAF rules to block requests containing PHP code patterns or common injection payloads targeting the plugin endpoints
Restrict access to the WordPress admin and plugin directories using .htaccess or web server configuration rules

bash

# Restrict write access to the vulnerable directory (temporary mitigation)
chmod 555 /path/to/wp-content/plugins/woo-product-tables/languages/
chown root:root /path/to/wp-content/plugins/woo-product-tables/languages/customTitle.php

CVE-2024-6365 Overview

Critical Impact
Unauthenticated attackers can achieve remote code execution on vulnerable WordPress installations, enabling complete server compromise, data theft, and further malicious activity without requiring any authentication.

Affected Products

Product Table by WBW plugin for WordPress versions up to and including 2.0.1
WordPress installations running vulnerable versions of the woo-product-tables plugin
WooCommerce sites utilizing the Product Table by WBW plugin

Discovery Timeline

2024-07-09 - CVE-2024-6365 published to NVD
2026-04-08 - Last updated in NVD database

Technical Details for CVE-2024-6365

Vulnerability Analysis

Root Cause

The root cause of this vulnerability lies in two critical security failures within the saveCustomTitle function:

Missing Authorization: The function lacks proper capability checks or nonce verification, allowing any user—including unauthenticated visitors—to invoke the functionality.
Insufficient Input Sanitization: User-supplied data is appended directly to a PHP file (languages/customTitle.php) without proper sanitization or validation, enabling code injection attacks.

This combination of missing access controls and improper input handling creates a direct path for attackers to write arbitrary PHP code to the server and subsequently execute it.

Attack Vector

The attack flow typically involves:

Sending a crafted request to the vulnerable endpoint with malicious PHP code
The plugin writes the unsanitized input to languages/customTitle.php
The attacker accesses the modified PHP file to trigger code execution
Arbitrary commands are executed with web server privileges

For detailed technical analysis, refer to the Wordfence Vulnerability Report and the WordPress Plugin Custom Title Script.

Detection Methods for CVE-2024-6365

Indicators of Compromise

Unexpected modifications to the languages/customTitle.php file within the woo-product-tables plugin directory
Suspicious HTTP POST requests targeting the saveCustomTitle function endpoint from unknown or external IP addresses
Presence of PHP web shells or encoded payloads in the plugin's language files
Unusual process spawning from the web server (e.g., php, wget, curl, bash child processes)

Detection Strategies

Monitor web server access logs for POST requests to the saveCustomTitle endpoint, particularly from unauthenticated sessions
Implement file integrity monitoring on the WordPress plugins directory, specifically the woo-product-tables/languages/ path
Deploy web application firewall (WAF) rules to detect and block code injection patterns in request payloads
Review PHP error logs for execution anomalies or syntax errors that may indicate injection attempts

Monitoring Recommendations

Enable real-time file change notifications for WordPress plugin directories
Configure SIEM alerts for web server process anomalies such as reverse shell indicators or outbound connections
Regularly audit installed WordPress plugins and their versions against known vulnerability databases
Implement endpoint detection capabilities to identify post-exploitation activity following successful RCE

How to Mitigate CVE-2024-6365

Immediate Actions Required

Update the Product Table by WBW plugin to version 2.0.2 or later immediately
If immediate update is not possible, deactivate and remove the woo-product-tables plugin until patching is complete
Review the languages/customTitle.php file for any unauthorized modifications or injected code
Conduct a full security audit of the affected WordPress installation to identify signs of compromise
Consider implementing a web application firewall to provide additional protection layer

Patch Information

To verify successful patching, confirm the plugin version is 2.0.2 or higher in the WordPress admin panel under Plugins > Installed Plugins.

Workarounds

Temporarily deactivate the Product Table by WBW plugin until it can be updated to a patched version
Implement strict file permissions on the languages/ directory to prevent web server write access (may break functionality)
Deploy WAF rules to block requests containing PHP code patterns or common injection payloads targeting the plugin endpoints
Restrict access to the WordPress admin and plugin directories using .htaccess or web server configuration rules

bash

# Restrict write access to the vulnerable directory (temporary mitigation)
chmod 555 /path/to/wp-content/plugins/woo-product-tables/languages/
chown root:root /path/to/wp-content/plugins/woo-product-tables/languages/customTitle.php

CVE-2024-6365: Product Table by WBW WordPress RCE Flaw

CVE-2024-6365 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-6365

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-6365

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-6365

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-6365: Product Table by WBW WordPress RCE Flaw

CVE-2024-6365 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-6365

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-6365

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-6365

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform