[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$feqSGI-CeygxybyMEfhIxKCSuIQ7cF9E8H9V6FcYybYQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-32450","active-products-tables-for-woocommerce-use-constructor-to-create-tables-authenticated-contributor-stored-cross-site-scri-2","Active Products Tables for WooCommerce. Use constructor to create tablesĀ  \u003C= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting","The Active Products Tables for WooCommerce. Use constructor to create tablesĀ  plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","profit-products-tables-for-woocommerce",null,"\u003C=1.0.7","1.0.8","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-10 00:00:00","2026-03-19 15:15:29",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F44132f7b-31d4-46e9-8441-e27f0f4c5789?source=api-prod",10,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-32450 (Active Products Tables for WooCommerce)\n\n## 1. Vulnerability Summary\nThe **Active Products Tables for WooCommerce** (slug: `profit-products-tables-for-woocommerce`) plugin is vulnerable to **Stored Cross-Site Scripting (XSS)** in versions up to 1.0.7. The vulnerability exists because the plugin's \"Constructor\" feature, which allows users to build and save custom product tables, fails to sanitize user-supplied input when saving table configurations and fails to escape that data when rendering the table via a shortcode. \n\nThis allows an authenticated attacker with **Contributor-level** permissions or higher to inject malicious JavaScript into a table's configuration (e.g., in column titles or CSS classes). When the table is displayed on the frontend via a shortcode, the script executes in the context of any user viewing the page, including administrators.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `woot_save_table_settings` (inferred based on plugin architecture) or a similar action associated with the \"Constructor\" tab.\n- **Vulnerable Parameters:** Table configuration fields, specifically `title`, `columns`, or `css_classes` within the JSON-encoded table settings.\n- **Authentication:** Authenticated, Contributor-level access (`PR:L`).\n- **Preconditions:** The plugin must be active, and WooCommerce must be installed (as it's a WooCommerce extension).\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The attacker sends a `POST` request to `admin-ajax.php` with the action `woot_save_table_settings`.\n2. **Processing:** The plugin's AJAX handler (likely inside a class handling \"Constructor\" settings) receives the table configuration.\n3. **Sink (Storage):** The handler uses `update_option()` or `update_post_meta()` to save the configuration array\u002Fobject. It likely lacks sanitization (like `sanitize_text_field` or `wp_kses`).\n4. **Retrieval:** A user (or the attacker) places a shortcode such as `[woot id=\"123\"]` on a page.\n5. **Sink (Output):** The shortcode callback retrieves the stored configuration. While iterating through columns to render the table headers or cells, it outputs the stored values directly using `echo` or similar functions without `esc_html()` or `esc_attr()`.\n\n## 4. Nonce Acquisition Strategy\nThe plugin typically enqueues its settings scripts in the WordPress admin dashboard. The nonces and configuration are localized into a JavaScript object.\n\n1. **Identify Script Localization:** Look for `wp_localize_script` calls in the source. Common variable names for this plugin family: `woot_vars`, `woot_constructor_vars`, or `woot_admin_vars`.\n2. **Target Page:** Navigate to the plugin's \"Constructor\" page (usually `wp-admin\u002Fadmin.php?page=woot&tab=constructor`).\n3. **Extraction:**\n - Use `browser_navigate` to reach the admin page as a Contributor.\n - Use `browser_eval` to extract the nonce:\n ```javascript\n window.woot_vars?.nonce || window.woot_constructor_vars?.nonce || document.querySelector('input[name=\"woot_nonce\"]')?.value\n ```\n4. **Verification:** Check if the action used for `wp_create_nonce` matches the one checked in the AJAX handler (likely `woot_save_table_settings`).\n\n## 5. Exploitation Strategy\n1. **Authentication:** Log in as a user with the **Contributor** role.\n2. **Identify Table ID:** Create a dummy table via the UI or identify the ID of an existing table.\n3. **Craft Payload:** Create a JSON object representing the table settings where a column title contains the XSS payload.\n - Payload: `\">\u003Cscript>alert(document.cookie)\u003C\u002Fscript>`\n4. **Execute AJAX Request:** Send the malicious configuration via `http_request`.\n - **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n - **Method:** `POST`\n - **Body (URL-encoded):**\n - `action=woot_save_table_settings`\n - `woot_nonce=[EXTRACTED_NONCE]`\n - `table_id=1` (or the target ID)\n - `settings=[JSON_PAYLOAD_CONTAINING_XSS]`\n5. **Trigger Execution:** \n - Create a new post\u002Fpage as the Contributor.\n - Insert the shortcode: `[woot id=1]` (replacing 1 with the target ID).\n - Publish\u002FPreview the post.\n6. **Verify:** Navigate to the public URL of the created post and check if the `alert` triggers.\n\n## 6. Test Data Setup\n1. **Plugin Setup:** Install and activate `profit-products-tables-for-woocommerce` and `woocommerce`.\n2. **User Creation:** \n - `wp user create attacker attacker@example.com --role=contributor --user_pass=password`\n3. **Product Creation:** (Optional, but helps rendering)\n - `wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish`\n4. **Table Creation:** Use the plugin UI or CLI to ensure at least one table structure exists in the database.\n\n## 7. Expected Results\n- The AJAX request should return a success status (e.g., `{\"success\":true}`).\n- The `wp_options` or `wp_postmeta` table in the database should now contain the raw `\u003Cscript>` payload.\n- Upon viewing the page containing the `[woot]` shortcode, the browser should execute the injected script, manifesting as an alert box or a failed network request (if using a blind XSS payload).\n\n## 8. Verification Steps\n1. **Database Check:**\n ```bash\n wp option get woot_tables --format=json | grep \"script\"\n # OR if stored in meta:\n wp post meta list [TABLE_POST_ID] --keys=woot_table_settings\n ```\n2. **Frontend Inspection:**\n - Visit the post URL.\n - Search the HTML source for the payload:\n ```bash\n http_request GET [POST_URL] | grep -C 5 \"alert(document.cookie)\"\n ```\n\n## 9. Alternative Approaches\n- **CSS-Based XSS:** If the `title` field is sanitized, try the `css_classes` field or `custom_style` fields if the \"Constructor\" allows them.\n- **Shortcode Attribute Injection:** If the AJAX save is too restrictive, check if the shortcode itself accepts attributes that are rendered without escaping:\n - `[woot title='\u003Cscript>alert(1)\u003C\u002Fscript>']`\n- **Settings Export\u002FImport:** Check if the plugin has an Import\u002FExport feature for table configurations. These often lack validation on the import side.","The Active Products Tables for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in its 'Constructor' feature. This allows authenticated attackers with Contributor-level access or higher to inject arbitrary JavaScript into table configurations, which then executes in the browsers of users viewing pages containing the table shortcode.","--- a\u002Fclasses\u002Fconstructor.php\n+++ b\u002Fclasses\u002Fconstructor.php\n@@ -45,7 +45,7 @@\n public function woot_save_table_settings() {\n check_ajax_referer('woot_save_table_settings', 'nonce');\n $table_id = intval($_POST['table_id']);\n- $settings = $_POST['settings'];\n+ $settings = wp_kses_post($_POST['settings']);\n update_option(\"woot_settings_$table_id\", $settings);\n wp_send_json_success();\n }\n--- a\u002Fclasses\u002Fwoot.php\n+++ b\u002Fclasses\u002Fwoot.php\n@@ -120,5 +120,5 @@\n public function render_table($id) {\n $settings = get_option(\"woot_settings_$id\");\n $data = json_decode($settings, true);\n- return \"\u003Ch3>\" . $data['title'] . \"\u003C\u002Fh3>\";\n+ return \"\u003Ch3>\" . esc_html($data['title']) . \"\u003C\u002Fh3>\";\n }","1. Authenticate as a Contributor and access the WordPress admin dashboard to extract a valid AJAX nonce from the localized JavaScript variables (e.g., 'woot_vars.nonce').\n2. Send a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' using the action 'woot_save_table_settings' and providing a JSON-encoded payload in the 'settings' parameter.\n3. Within the JSON payload, inject a malicious script into a displayed field such as the table title or column names: {\"title\": \"\u003Cscript>alert(1)\u003C\u002Fscript>\", ...}.\n4. Embed the shortcode for the modified table (e.g., [woot id=1]) into a new post or page and publish it.\n5. The injected script will execute in the browser of any user, including administrators, who visits the page where the table is rendered.","gemini-3-flash-preview","2026-04-18 04:54:13","2026-04-18 04:54:37",{"type":33,"vulnerable_version":34,"fixed_version":9,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":9,"fixed_zip":9,"all_tags":37},"plugin","1.0.6.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofit-products-tables-for-woocommerce\u002Ftags\u002F1.0.6.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprofit-products-tables-for-woocommerce.1.0.6.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fprofit-products-tables-for-woocommerce\u002Ftags"]