How is CVE-2026-34902 exploited?

Network reachability (required): The attacker must reach the vulnerable WordPress site over the network; the plugin exposes the flaw via standard HTTP/HTTPS requests. Authentication (not-required): No account or credentials are needed; the vulnerability is exploitable by any unauthenticated visitor. Victim interaction (required): A victim must follow a malicious link or visit an attacker-crafted page that triggers the injected script in their browser. Attack complexity (info): Attack complexity is low, meaning no special conditions, race windows, or environmental factors are required for the exploit to succeed reliably.

What is the impact of CVE-2026-34902?

Reads browser session cookies or authentication tokens belonging to the victim, potentially giving the attacker access to their WordPress or WooCommerce account. Injects modified page content into the victim's browser view, enabling phishing forms or fake checkout flows targeting customer payment data. Redirects the victim's browser to an attacker-controlled site without their knowledge. Degrades the victim's browsing session by executing disruptive scripts, consistent with the partial availability impact indicated in the CVSS vector.

Back to search

HIGHCVE-2026-34902Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-34902: WordPress WooCommerce Product Table Lite plugin <= 4.6.3 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-34902?

A reflected or stored cross-site scripting (XSS) vulnerability exists in the WooCommerce Product Table Lite WordPress plugin at version 4.6.3 and earlier. The flaw is reachable over the network without any authentication, but requires a victim to interact with a malicious link or page crafted by the attacker. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session theft, page content modification, or redirection to attacker-controlled sites. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as one is released.

Q: Is CVE-2026-34902 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. In the interim, compensating-control recommendations such as network-policy isolation of affected WordPress instances are surfaced alongside the finding.

Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A reflected or stored cross-site scripting (XSS) vulnerability exists in the WooCommerce Product Table Lite WordPress plugin at version 4.6.3 and earlier. The flaw is reachable over the network without any authentication, but requires a victim to interact with a malicious link or page crafted by the attacker. Successful exploitation allows an attacker to inject and execute arbitrary JavaScript in the victim's browser, enabling session theft, page content modification, or redirection to attacker-controlled sites. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-34902 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built WordPress or WooCommerce container images. Any image found to carry WooCommerce Product Table Lite at version 4.6.3 or earlier is flagged automatically across customer registries and CI/CD pipelines.

Available

Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) per the published v3.1 vector and applies each customer organization's compliance policy weighting to prioritize or escalate accordingly. Findings are routed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. In the interim, compensating-control recommendations such as network-policy isolation of affected WordPress instances are surfaced alongside the finding.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vulnerable WordPress site over the network; the plugin exposes the flaw via standard HTTP/HTTPS requests.
AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated visitor.
Victim interactionRequired
A victim must follow a malicious link or visit an attacker-crafted page that triggers the injected script in their browser.
Attack complexityDetail
Attack complexity is low, meaning no special conditions, race windows, or environmental factors are required for the exploit to succeed reliably.

Blast Radius

Reads browser session cookies or authentication tokens belonging to the victim, potentially giving the attacker access to their WordPress or WooCommerce account.
Injects modified page content into the victim's browser view, enabling phishing forms or fake checkout flows targeting customer payment data.
Redirects the victim's browser to an attacker-controlled site without their knowledge.
Degrades the victim's browsing session by executing disruptive scripts, consistent with the partial availability impact indicated in the CVSS vector.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all customer images carrying WooCommerce Product Table Lite at affected versions, with detection firing within minutes of the CVE's publication. Because no upstream patch exists at this time, HarborGuard will monitor the Patchstack advisory and the plugin's release channel on every ingest cycle, and a patched-image rebuild will become available automatically the moment a fix version is published. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a pull request opened against affected workloads with no manual intervention required. While awaiting an upstream fix, customers can apply compensating controls surfaced in the HarborGuard finding detail: restricting public HTTP access to affected WordPress deployments via network policy, enabling a web application firewall rule targeting reflected XSS patterns, or disabling the Product Table Lite plugin until a patched release is available. Where compliance policy permits, these recommendations can be enforced automatically through HarborGuard's policy-as-code controls.

See how HarborGuard automates this

Affected packages

WC Product Table / WooCommerce Product Table Lite
≤ 4.6.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified