CVE-2026-34902 Overview
CVE-2026-34902 is an unauthenticated Cross-Site Scripting (XSS) vulnerability affecting the WooCommerce Product Table Lite WordPress plugin in versions up to and including 4.6.3. The flaw is categorized under CWE-79, which covers improper neutralization of input during web page generation. An attacker can craft a malicious link or input that injects script content into the rendered page without requiring authentication. The vulnerability requires user interaction to trigger and can impact users across security scopes, including site administrators viewing affected content.
Critical Impact
Unauthenticated attackers can inject arbitrary JavaScript into pages rendered by the plugin, enabling session theft, administrative action hijacking, and credential harvesting on affected WooCommerce stores.
Affected Products
- WooCommerce Product Table Lite plugin for WordPress
- All versions <= 4.6.3
- WordPress installations running WooCommerce with this plugin enabled
Discovery Timeline
- 2026-06-15 - CVE-2026-34902 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-34902
Vulnerability Analysis
The vulnerability is a reflected or stored Cross-Site Scripting (XSS) flaw in the WooCommerce Product Table Lite plugin. The plugin fails to properly sanitize and encode user-supplied input before rendering it within HTML output. An unauthenticated attacker can craft input containing JavaScript payloads that execute in the browser context of any visitor who interacts with the malicious content. Because the issue resides in a WooCommerce-related plugin, exploitation can target both shoppers and administrators of affected stores. The CVSS vector indicates a scope change, meaning the injected script can affect resources beyond the vulnerable component itself, such as the administrative interface or other site components rendered alongside the plugin output.
Root Cause
The root cause is improper neutralization of input during web page generation ([CWE-79]). The plugin accepts attacker-controllable input and emits it into HTML responses without applying context-appropriate escaping such as esc_html(), esc_attr(), or wp_kses(). This allows raw HTML and <script> content to be interpreted by the browser.
Attack Vector
Exploitation occurs over the network and requires user interaction, typically through a crafted URL or content embedded in a page that the victim visits. The attacker delivers a payload, such as a product table parameter containing script content, then lures a target to click or load the resource. Once executed in the victim's browser, the payload runs with the privileges of the active session and can be used to exfiltrate cookies, perform actions as the user, or pivot to administrative functions. No authentication is required from the attacker to stage the payload.
No verified public proof-of-concept code is available. Refer to the Patchstack XSS Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-34902
Indicators of Compromise
- Unexpected <script> tags, javascript: URIs, or event handler attributes such as onerror= and onload= in stored plugin configuration, product table shortcodes, or query parameters
- Web server access logs showing requests with URL-encoded HTML or JavaScript payloads targeting WooCommerce Product Table Lite endpoints or shortcode parameters
- Outbound requests from administrator browsers to attacker-controlled domains shortly after viewing product table pages
Detection Strategies
- Inventory all WordPress installations and identify sites running WooCommerce Product Table Lite at version 4.6.3 or earlier
- Inspect HTTP request logs for unsanitized characters such as <, >, and " in parameters consumed by the plugin
- Deploy a Web Application Firewall (WAF) signature for reflected XSS patterns targeting WordPress query strings and plugin shortcodes
Monitoring Recommendations
- Monitor administrator session activity for anomalous actions immediately following navigation to product table pages
- Alert on creation of new administrator accounts, plugin installations, or theme edits performed outside expected maintenance windows
- Track Content Security Policy (CSP) violation reports for inline script execution on storefront and admin pages
How to Mitigate CVE-2026-34902
Immediate Actions Required
- Update WooCommerce Product Table Lite to a version newer than 4.6.3 once the vendor publishes a patched release
- If no patched version is available, deactivate and remove the plugin until a fix is confirmed
- Audit existing product table configurations and stored content for previously injected script payloads
- Force a password reset for administrative accounts that accessed the WordPress admin while the vulnerability was exposed
Patch Information
Review the Patchstack XSS Vulnerability Report for the latest patch status and remediation guidance. Apply updates through the WordPress plugin manager once the vendor releases a fixed version above 4.6.3.
Workarounds
- Restrict access to WordPress admin pages by IP allowlisting at the web server or WAF layer
- Enable a strict Content Security Policy that disallows inline script execution and restricts script sources to trusted origins
- Deploy WAF rules that block requests containing HTML tags or JavaScript event handlers in parameters processed by the plugin
- Educate administrators to avoid clicking untrusted links that reference the affected site while authenticated
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
