CVE-2024-13472 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) found in the WooCommerce Product Table Lite plugin for WordPress, versions up to and including 3.9.4. The vulnerability arises because the plugin improperly validates input before passing it to the WordPress function do_shortcode, which processes shortcodes. Specifically, the 'sc_attrs' parameter can be manipulated by unauthenticated attackers to inject and execute arbitrary shortcodes. This code injection flaw allows attackers to run malicious code within the context of the WordPress site, potentially leading to unauthorized actions such as data theft, site defacement, or further compromise. Additionally, the same parameter is vulnerable to reflected cross-site scripting (XSS), which can be used to execute malicious scripts in the browsers of site visitors, leading to session hijacking or phishing attacks. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. Although no known exploits have been reported in the wild yet, the vulnerability's nature and ease of exploitation make it a significant threat to websites using this plugin. The CVSS v3.1 score of 7.3 reflects a high severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The scope is unchanged, but the impact affects confidentiality, integrity, and availability to some extent. The lack of available patches at the time of disclosure increases the urgency for mitigation.

The impact of CVE-2024-13472 on organizations worldwide can be substantial, especially for those relying on WooCommerce Product Table Lite for e-commerce functionality. Successful exploitation allows attackers to execute arbitrary shortcodes, which can lead to unauthorized code execution on the server. This can result in data breaches, including theft of customer information, payment data, or administrative credentials. Attackers may also deface websites, inject malicious content, or pivot to further internal network compromise. The reflected XSS vulnerability can be leveraged to target site visitors, potentially leading to credential theft or malware distribution. Given the plugin's widespread use in e-commerce sites, the vulnerability threatens the confidentiality, integrity, and availability of affected systems. The ease of exploitation without authentication or user interaction increases the risk of automated attacks and mass exploitation campaigns. Organizations may face reputational damage, regulatory penalties, and financial losses if exploited. The absence of known exploits currently provides a window for proactive defense, but the risk of future exploitation remains high.

To mitigate CVE-2024-13472, organizations should immediately update the WooCommerce Product Table Lite plugin to a patched version once available. Until a patch is released, administrators should consider disabling or removing the plugin if feasible. Implementing a Web Application Firewall (WAF) with custom rules to block requests containing suspicious shortcode parameters, especially targeting the 'sc_attrs' parameter, can reduce exposure. Restricting access to the WordPress admin and plugin endpoints via IP whitelisting or VPN can limit attacker reach. Monitoring web server logs for unusual shortcode execution attempts or XSS payloads is critical for early detection. Additionally, applying Content Security Policy (CSP) headers can mitigate the impact of reflected XSS attacks. Regular backups and incident response plans should be in place to recover quickly if compromise occurs. Educating site administrators about the risks of installing untrusted plugins and enforcing the principle of least privilege for WordPress users can further reduce attack surface.