CVE-2025-62008
Published: 22 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-62008 is a Deserialization of Untrusted Data vulnerability (CWE-502) affecting the Product Table For WooCommerce WordPress plugin developed by acowebs. This PHP object injection issue impacts all versions of the plugin from n/a through 1.2.4, as published on 2025-10-22.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely over the network by low-privileged authenticated users, such as standard registered WordPress users, with low attack complexity and no user interaction required. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing arbitrary code execution or other severe effects typical of PHP object injection.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/product-table-for-woocommerce/vulnerability/wordpress-product-table-for-woocommerce-plugin-1-2-4-php-object-injection-vulnerability?_s_id=cve provides further details on the vulnerability.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a PHP object injection (deserialization) in a public-facing WordPress plugin, directly enabling remote exploitation of a public-facing application by low-privileged authenticated attackers to achieve RCE-like impacts.