The Essekia Tablesome plugin contains a Sensitive Information Insertion into Sent Data vulnerability (CWE-201) that allows an attacker to retrieve embedded sensitive data from the system. The flaw arises when the plugin processes data that can expose confidential information to unauthorized parties. This impacts data confidentiality, potentially allowing attackers to gain access to login credentials, personal data, or other sensitive content stored by the plugin.

Affected systems include WordPress installations running the Tablesome plugin version 1.1.35.1 or earlier, as listed by the vendor Essekia. No specific sub‑versions beyond 1.1.35.1 are impacted. The plugin can be found in WordPress repositories and may be deployed on any site using this plugin without further restriction.

The CVSS score of 5 indicates a medium severity vulnerability. The EPSS score of less than 1% reflects a very low probability of exploitation at the time of analysis, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is inferred to be via HTTP requests to the plugin’s endpoints, likely requiring some form of authenticated or privileged access to the WordPress site. However, the available data does not explicitly state remote code execution or the need for user interaction, so the risk is considered moderate and exploitability low to moderate based on the information provided.