CVE-2024-6458: CWE-862 Missing Authorization in wcproducttable Product Table and List Builder for WooCommerce Lite
The WooCommerce Product Table Lite plugin for WordPress is vulnerable to unauthorized post title modification due to a missing capability check on the wcpt_presets__duplicate_preset_to_table function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers with subscriber access and above to change titles of arbitrary posts. Missing sanitization can lead to Stored Cross-Site Scripting when viewed by an admin via the WooCommerce Product Table.
AI Analysis
Technical Summary
The WooCommerce Product Table Lite plugin suffers from a missing capability check in the wcpt_presets__duplicate_preset_to_table function, enabling authenticated users with subscriber or higher privileges to change arbitrary post titles. This unauthorized modification can be exploited to inject stored cross-site scripting payloads that execute when an admin views the product table. The vulnerability affects all versions up to 3.5.1 and is classified under CWE-862 (Missing Authorization).
Potential Impact
An attacker with subscriber-level access or higher can modify post titles without authorization, potentially injecting malicious scripts that execute in the context of an administrator viewing the WooCommerce Product Table. This can lead to stored cross-site scripting attacks, compromising administrative accounts or site integrity. The vulnerability does not affect availability but impacts confidentiality and integrity.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are currently available. Users should monitor the vendor's advisory for updates and apply any forthcoming official patches promptly. Until a fix is released, restrict subscriber-level user capabilities where possible and limit access to trusted users to reduce risk.
CVE-2024-6458: CWE-862 Missing Authorization in wcproducttable Product Table and List Builder for WooCommerce Lite
Description
The WooCommerce Product Table Lite plugin for WordPress is vulnerable to unauthorized post title modification due to a missing capability check on the wcpt_presets__duplicate_preset_to_table function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers with subscriber access and above to change titles of arbitrary posts. Missing sanitization can lead to Stored Cross-Site Scripting when viewed by an admin via the WooCommerce Product Table.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The WooCommerce Product Table Lite plugin suffers from a missing capability check in the wcpt_presets__duplicate_preset_to_table function, enabling authenticated users with subscriber or higher privileges to change arbitrary post titles. This unauthorized modification can be exploited to inject stored cross-site scripting payloads that execute when an admin views the product table. The vulnerability affects all versions up to 3.5.1 and is classified under CWE-862 (Missing Authorization).
Potential Impact
An attacker with subscriber-level access or higher can modify post titles without authorization, potentially injecting malicious scripts that execute in the context of an administrator viewing the WooCommerce Product Table. This can lead to stored cross-site scripting attacks, compromising administrative accounts or site integrity. The vulnerability does not affect availability but impacts confidentiality and integrity.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch links are currently available. Users should monitor the vendor's advisory for updates and apply any forthcoming official patches promptly. Until a fix is released, restrict subscriber-level user capabilities where possible and limit access to trusted users to reduce risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-07-02T18:41:38.712Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c03b7ef31ef0b55ef71
Added to database: 2/25/2026, 9:39:15 PM
Last enriched: 4/9/2026, 8:08:19 AM
Last updated: 4/12/2026, 4:23:17 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.