Back to KEVs

CVE-2022-1020

Woo Product Table < 3.1.2 - Unauthenticated Arbitrary Function Call

Basic Information

CVE State
PUBLISHED
Reserved Date
March 18, 2022
Published Date
April 18, 2022
Last Updated
August 02, 2024
Vendor
Acowebs
Product
Product Table for WooCommerce (wooproducttable)
Description
The Product Table for WooCommerce (wooproducttable) WordPress plugin before 3.1.2 does not have authorisation and CSRF checks in the wpt_admin_update_notice_option AJAX action (available to both unauthenticated and authenticated users), as well as does not validate the callback parameter, allowing unauthenticated attackers to call arbitrary functions with either none or one user controlled argument
Tags
wordpress nuclei_scanner

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0

7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Score

Score
88.63% (Percentile: 99.46%) as of 2025-05-28

Exploit Status

Exploited in the Wild
Yes (2025-04-30 00:00:00 UTC) Source

References

https://wpscan.com/vulnerability/04fe89b3-8ad1-482f-a96d-759d1d3a0dd5

Known Exploited Vulnerability Information

Source Added Date
The Shadowserver (via CIRCL) 2025-04-30 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-1020.yaml 2025-04-26 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Detected by Nuclei

  • Added to KEVIntel