Description
The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tableon_popup_iframe_button shortcode in all versions up to, and including, 1.0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-21
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) via unsanitized shortcode attributes
Action: Patch Immediately
AI Analysis

Impact

The vulnerability lies in insufficient input sanitization and output escaping on attributes of the tableon_popup_iframe_button shortcode in the TableOn – WordPress Posts Table Filterable plugin. The plugin allows any authenticated user with contributor privileges or higher to inject arbitrary scripts into the shortcode. When a user browses a page containing that shortcode, the stored malicious script executes with the context of the viewing user. This can lead to theft of session cookies, defacement, or execution of other malicious actions. This flaw is classified as a Stored Cross‑Site Scripting (CWE‑79).

Affected Systems

The affected product is the TableOn – WordPress Posts Table Filterable plugin developed by realmag777. All released versions up to and including 1.0.4.1 are vulnerable, as indicated by the plugin's change log and source code. The plugin is a WordPress plugin and is deployed on any WordPress installation where it has been activated. No other WordPress core components are directly impacted.

Risk and Exploitability

The CVSS score is 6.4, indicating a medium severity. The EPSS score is below 1 %, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Attackers need authenticated access at least at the contributor role, so they must either compromise a user account or exploit a credential or social engineering scenario. Once the malicious shortcode is persisted, any user viewing the affected page will execute the injected script, potentially escalating the impact within the site.

Generated by OpenCVE AI on April 21, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TableOn – WordPress Posts Table Filterable plugin to the latest available version that addresses the XSS issue.
  • Remove or sanitize any existing instances of the tableon_popup_iframe_button shortcode that include user‑supplied attributes; replace them with safe content or delete the malicious payloads.
  • Limit contributor‑level access to trusted users and enforce a policy that contributors cannot add arbitrary shortcodes until the plugin is patched; alternatively, disable the shortcode via a plugin setting or custom code.

Generated by OpenCVE AI on April 21, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18806 The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tableon_popup_iframe_button shortcode in all versions up to, and including, 1.0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 09 Jul 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Pluginus
Pluginus tableon - Wordpress Posts Table Filterable
CPEs cpe:2.3:a:pluginus:tableon_-_wordpress_posts_table_filterable:*:*:*:*:*:wordpress:*:*
Vendors & Products Pluginus
Pluginus tableon - Wordpress Posts Table Filterable

Mon, 23 Jun 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 21 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
Description The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's tableon_popup_iframe_button shortcode in all versions up to, and including, 1.0.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title TableOn – WordPress Posts Table Filterable <= 1.0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via tableon_popup_iframe_button Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Pluginus Tableon - Wordpress Posts Table Filterable
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:23.642Z

Reserved: 2025-05-23T22:00:03.359Z

Link: CVE-2025-5143

cve-icon Vulnrichment

Updated: 2025-06-23T20:47:15.607Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-21T07:15:22.110

Modified: 2025-07-09T19:02:15.157

Link: CVE-2025-5143

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:15:44Z

Weaknesses