CVE-2024-13472: 
WordPress vulnerability analysis and mitigation

The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in versions up to and including 3.9.4. This vulnerability was discovered and disclosed on January 31, 2025. The plugin allows unauthenticated attackers to execute arbitrary shortcodes due to improper validation of values before running do_shortcode. Additionally, the 'sc_attrs' parameter is vulnerable to Reflected Cross-Site Scripting (Wordfence Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The issue is classified as CWE-94 (Improper Control of Generation of Code 'Code Injection'). The vulnerability stems from the software's failure to properly validate a value before executing do_shortcode, allowing unauthenticated attackers to execute arbitrary shortcodes (NVD).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes and potentially exploit Reflected Cross-Site Scripting through the 'sc_attrs' parameter. This can lead to unauthorized code execution and potential compromise of website security (Wordfence Advisory).

The vulnerability has been patched in version 3.9.5 of the WooCommerce Product Table Lite plugin. Users are strongly advised to update to this version immediately (WordPress Plugin).