The Tablesome plugin suffers from a missing authorization flaw that permits attackers to exploit incorrectly configured access control settings. This weakness, catalogued as CWE‑862, enables an unauthorized user to perform actions on the plugin’s data store that they should not be able to execute, potentially allowing data read or modification beyond the user’s privileges. No explicit mention of privilege escalation or remote code execution is provided, but the vulnerability directly undermines the integrity and confidentiality of the plugin’s data.

WordPress sites that have the Essekia Tablesome plugin installed in any version up to and including 1.1.35.1. All installations are considered vulnerable regardless of the overall WordPress version, because the flaw resides solely in the plugin itself.

With a CVSS score of 5.4, the flaw poses a moderate severity risk. The EPSS score of less than 1 % indicates a low probability of exploitation, and the vulnerability is not cataloged in the CISA KEV list. Attackers can likely trigger the issue remotely via the plugin’s web interface, leveraging the web application’s existing authentication states. Given the absence of local privilege prerequisites, the attack vector is web‑based and does not require additional network access beyond what a standard user account may possess.