The Table Field Add‑on for ACF and SCF contains a stored cross‑site scripting flaw caused by inadequate input sanitization and output escaping of table cell content. Because the vulnerability only requires author‑level access, an attacker who can create or edit content can embed JavaScript that will run in the browsers of any user who views a page containing the injected table data. The flaw is a classic input‑validation weakness (CWE‑79) that could allow malicious code to be executed, compromising the confidentiality, integrity, or availability of affected sites for all visitors who load the affected content.

The problem exists in all releases of the Table Field Add‑on for ACF and SCF up to and including version 1.3.30. The plugin is distributed by jonua under the name Table Field Add‑on for ACF and SCF. No specific build or platform constraints are noted beyond being a WordPress plugin; any WordPress installation that has the plugin installed and has users with author or higher role is at risk.

The CVSS score of 6.4 indicates moderate severity and the EPSS score of less than 1 % suggests a low current exploitation probability, yet the fact that authenticated users may inject arbitrary scripts means that once an attacker gains author access they can readily affect all site visitors. The flaw is not listed in CISA’s KEV catalog, but its potential for widespread impact remains if the vulnerable plugin remains installed. The likely attack vector is through the WordPress administration interface, where an attacker creates or modifies a table field and inserts malicious code into a cell. If a site administrator does not limit author capabilities or enable additional sanitization, the vulnerability can be exploited with relative ease.