CVE-2025-24596
Published: 24 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-24596 is a missing authorization vulnerability, mapped to CWE-862 (Missing Authorization), in the WC Product Table WooCommerce Product Table Lite WordPress plugin (wc-product-table-lite). It enables exploiting incorrectly configured access control security levels and affects all versions from n/a through 3.8.7. The vulnerability received a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, and low integrity impact.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation allows limited integrity impacts, such as unauthorized modifications due to broken access controls in the plugin.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/wc-product-table-lite/vulnerability/wordpress-woocommerce-product-table-lite-plugin-3-8-7-broken-access-control-vulnerability?_s_id=cve) documents this issue in WooCommerce Product Table Lite version 3.8.7, recommending mitigation by updating to a version beyond 3.8.7 where the access control flaw is addressed.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote unauthenticated exploitation of the web application, mapping to T1190: Exploit Public-Facing Application.