This vulnerability (CVE-2026-34902) is an instance of CWE-79: Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). It affects WooCommerce Product Table Lite plugin versions up to and including 4.6.3. The flaw allows unauthenticated attackers to inject malicious scripts into web pages generated by the plugin, which execute in the context of users viewing the affected pages. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and low impacts on confidentiality, integrity, and availability. No official patch or remediation level is currently stated, and no known exploits are reported in the wild.

Successful exploitation can lead to execution of arbitrary scripts in the context of users visiting affected pages, potentially resulting in theft of user credentials, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability to a limited extent. The vulnerability is exploitable remotely without authentication but requires user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to affected plugin features or applying web application firewall (WAF) rules to detect and block XSS attempts. Monitor vendor channels for updates and apply patches promptly once released.