CVE-2025-0864 - Reflected XSS Vulnerability in Active Products Tables for WooCommerce Plugin (All Versions ≤ 1..6.6) Explained

If you’re running a WordPress online store with WooCommerce, you might be using Active Products Tables for WooCommerce to display product listings. However, a recent security vulnerability, CVE-2025-0864, has been discovered in this plugin, putting your shop and its users at risk due to a serious Reflected Cross-Site Scripting (XSS) issue.

Let’s break down what this means, how attackers can exploit it, and what you need to do to protect your site.

Understanding the Vulnerability

CVE-2025-0864 affects all versions up to and including 1..6.6 of the "Active Products Tables for WooCommerce. Use constructor to create tables" plugin.

The vulnerability comes from insufficient input sanitization and output escaping on the shortcodes_set parameter. In plain English, the plugin does not properly filter or clean up user input for this parameter. This flaw allows attackers to inject malicious JavaScript code into your site's page. If a user is tricked into clicking a specially crafted link, this code can execute in their browser.

How Reflected XSS Works in This Case

Reflected XSS happens when user-supplied data is immediately returned by the application in a response, without proper sanitization. In this plugin, the shortcodes_set parameter can be used by anyone (even when not logged in) to send malicious scripts.

Example Malicious URL

https://yourstore.com/wp-admin/admin.php?page=apt_wc_products_table&shortcodes_set=%3Cscript%3Ealert('XSS')%3C/script%3E

If an administrator or shop manager clicks this link, a pop-up from alert('XSS') will appear—demonstrating that arbitrary scripts can run on the site.

Here’s a step-by-step of how an attacker could leverage this

1. Craft a Link: The attacker creates a URL with a malicious JavaScript snippet in the shortcodes_set parameter.
2. Deliver the Link: The attacker tries to get a logged-in user (like a shop manager or admin) to click the link. This can be done through phishing emails, social media, or even in blog comments.
3. Execute the Attack: When the victim clicks the link, the script executes in their browser in the context of the WordPress dashboard, leading to potential data theft, site hijacking, or more.

Example Attack URL

https://victimsite.com/wp-admin/admin.php?page=apt_wc_products_table&shortcodes_set=<script>alert('Hacked')</script>;

The problematic code might look something like this (simplified for clarity)

<?php
// In the plugin file that handles admin page rendering

// Vulnerable: No sanitization or escaping of 'shortcodes_set'
$shortcodes_set = $_GET['shortcodes_set'];

echo "<div>{$shortcodes_set}</div>"; // Output is directly reflected
?>

With the proper payload, attackers can inject code that will be executed as soon as the page loads.

Step 1: The attacker crafts this URL

https://victim-site.com/wp-admin/admin.php?page=apt_wc_products_table&shortcodes_set=%3Cscript%3Ealert('XSS')%3C/script%3E

Step 2: A logged-in site user clicks the link.

Step 3: The following script runs

<script>alert('XSS')</script>

This could easily be replaced with something more dangerous, like stealing cookies or redirecting the admin to a phishing page.

If you maintain this plugin or use it, here’s what you should do

- Update the Plugin: Check for updates. If no update is available, consider disabling the plugin until a fix is released.
- Patch the Code Manually: If you’re comfortable editing the plugin, sanitize and escape the output from GET parameters.

Replace the output lines in the plugin with this safer approach

<?php
$shortcodes_set = isset($_GET['shortcodes_set']) ? sanitize_text_field($_GET['shortcodes_set']) : '';
echo "<div>" . esc_html($shortcodes_set) . "</div>";
?>

This sanitizes the input and encodes it for HTML output, effectively neutralizing any injected scripts.

Limit Admin Area Exposure: Only allow trusted users to access the admin area.

- Educate Users: Warn your admins and editors about clicking suspicious links, especially those with strange parameters.
- Web Application Firewall: Use a security plugin like Wordfence to help filter out XSS attempts.

References

- Active Products Tables for WooCommerce Plugin Page
- CVE-2025-0864 at NVD *(Database listing)*
- OWASP - Cross-Site Scripting (XSS)
- Wordfence XSS Guide

Conclusion

CVE-2025-0864 is a serious reflected XSS vulnerability in a popular WooCommerce plugin. With only a crafted link and no user authentication needed, attackers could easily hijack sessions or steal data. If you use this plugin, update or patch it now. Don't wait for your site to become the next breach story.

*Have questions or need help patching this vulnerability? Drop a comment below or reach out on our contact page. Stay safe!*

Timeline

Published on: 02/18/2025 08:15:10 UTC