Description
The SortTable Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the sorttablepost shortcode in all versions up to, and including, 4.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction.
Published: 2025-11-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Update Plugin
AI Analysis

Impact

The SortTable Post WordPress plugin is vulnerable to a stored cross‑site scripting flaw that allows attacker‑supplied data to be stored in the plugin’s shortcode attributes without proper sanitization or escaping. The flaw resides in the 'id' parameter of the shortcode, meaning that scripts can be persisted and later delivered to other users when the affected page is rendered and interacted with via mouse events. This leads to a disruption of confidentiality and integrity of the site, enabling attackers to execute arbitrary JavaScript in the context of legitimate visitors.

Affected Systems

The vulnerable product is the SortTable Post plugin distributed by sscovil for WordPress. All released versions up to and including 4.2 contain the flaw; any site using these releases is impacted.

Risk and Exploitability

With a CVSS score of 6.4 the vulnerability is of moderate severity, and its EPSS score is less than 1%, indicating a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. The vulnerability requires that the attacker be an authenticated contributor or higher with permissions to create or edit content. When these prerequisites are met, the attacker can inject scripts that will execute for any user who views the abused page and interacts with it.

Generated by OpenCVE AI on April 22, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update SortTable Post to a version newer than 4.2 once it becomes available, using the WordPress update mechanism.
  • If an update cannot be applied, restrict contributor or higher roles from editing content that can include the sorttablepost shortcode, or remove the capability to edit posts with that shortcode.
  • Modify the plugin’s shortcode handler to sanitize the 'id' attribute – for example, cast it to an integer or enforce a numeric whitelist, and escape the output with esc_html so that any JavaScript cannot be injected.
  • If modifying the plugin code is not feasible, temporarily disable the SortTable Post plugin until the vulnerability is patched.

Generated by OpenCVE AI on April 22, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 28 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Nov 2025 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 27 Nov 2025 03:00:00 +0000

Type Values Removed Values Added
Description The SortTable Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in the sorttablepost shortcode in all versions up to, and including, 4.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction.
Title SortTable Post <= 4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:38.444Z

Reserved: 2025-11-03T20:10:03.508Z

Link: CVE-2025-12649

cve-icon Vulnrichment

Updated: 2025-11-28T14:39:38.848Z

cve-icon NVD

Status : Deferred

Published: 2025-11-27T03:15:57.530

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12649

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses