CVE-2025-0864: Reflected Cross-Site Scripting vulnerability in Active Products Tables for WooCommerce

The Active Product Tables for WooCommerce plugin is an extremely useful constructor that allows users to create customizable product tables for their WordPress sites. However, a critical security vulnerability has been discovered in all versions up to, and including, 1..6.6. The vulnerability, designated as CVE-2025-0864, concerns a Reflected Cross-Site Scripting (XSS) issue, which allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can trick a user into performing an action, such as clicking on a link.

In this post, we'll explain this vulnerability in detail, shed light on the code snippet responsible, and provide useful references for further understanding.

CVE-2025-0864: The Vulnerability

The core issue lies in the insufficient input sanitization and output escaping of the 'shortcodes_set' parameter. This parameter is used within the plugin to handle shortcodes, but its improper handling makes it susceptible to being exploited by attackers.

Here's the relevant code snippet from the vulnerable plugin (version 1..6.6)

function woot_shortcodes() {
    if (isset($_POST['shortcodes_set'])) {
        $data = $_POST['shortcodes_set'];
        $check = check_ajax_referer(WOOT_TOKEN, 'nonce', false);

        if ($check) {
            echo json_encode(WOOT_SHORTCODES::get_shortcodes_data($data));
        }
        exit;
    }
}

add_action('wp_ajax_woot_shortcodes', 'woot_shortcodes');
add_action('admin_footer', 'woot_shortcodes');

As you can see, the code above does not properly sanitize and escape the 'shortcodes_set' parameter, allowing an attacker to inject malicious code that executes if a user clicks on a carefully crafted link.

Defacing the site or redirecting users to malicious websites

This vulnerability affects all versions up to and including 1..6.6 of Active Products Tables for WooCommerce plugin.

For more information on this vulnerability, you can check out the following links

1. CVE MITRE Listing: CVE-2025-0864
2. Official WordPress Plugin Repository: Active Product Tables for WooCommerce

Mitigation and Solutions

If you are using Active Products Tables for WooCommerce plugin and your site is running a vulnerable version, it is critical to take a few essential steps to protect your site and users:

1. Update the plugin to the latest version as soon as a patch addressing this vulnerability is released by the developer.

Conclusion

CVE-2025-0864 is a critical Reflected XSS vulnerability in the Active Product Tables for WooCommerce plugin, affecting all versions up to and including 1..6.6. By exploiting this vulnerability, unauthenticated attackers can inject arbitrary web scripts that execute when a user performs an action like clicking a link. It is important to always keep your WordPress site and plugins updated to minimize the risk of exploitation.

Timeline

Published on: 02/18/2025 08:15:10 UTC