CVE-2022-1020
CRITICAL EXPLOITED NUCLEIWoo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call via wpt_admin_update_notice_option AJAX Action
Title source: llmExploitation Summary
CVE-2022-1020 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument
Nuclei Templates (1)
WordPress WooCommerce <3.1.2 - Arbitrary Function Call
CRITICALby Akincibor
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5
Scores
CVSS v3
9.8
EPSS
0.2623
EPSS Percentile
97.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
VulnCheck KEV
2024-01-21
CWE
CWE-352
CWE-862
Status
published
Products (1)
codeastrology/woo_product_table
< 3.1.2
Published
Apr 18, 2022
Tracked Since
Feb 18, 2026