Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS.This issue affects TableOn: from n/a through <= 1.0.4.2.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

Improper neutralization of input caused a reflected XSS flaw in RealMag777 TableOn posts‑filterable plugin versions up to and including 1.0.4.2. The vulnerability allows an attacker to inject arbitrary HTML or JavaScript that is echoed back in the victim’s browser, potentially enabling session hijacking, credential theft, or defacement of the site. The flaw meets CWE‑79 and its impact is confined to the individual user who views the crafted request; it does not provide persistence or server‑side code execution.

Affected Systems

WordPress sites that have the RealMag777 TableOn posts‑filterable plugin installed with version 1.0.4.2 or earlier. No other WordPress plugins or core versions are affected.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity, driven by user interaction and state‑less exploitation. The EPSS score of <1% suggests that active exploitation is unlikely at present, and the flaw is not listed in the CISA KEV database. An attacker would need to supply a crafted query string or form input that the plugin reflects unescaped. The necessary conditions are external and remote, but user action (clicking a link or submitting a form) is required to trigger the XSS.

Generated by OpenCVE AI on April 28, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the TableOn plugin to a version newer than 1.0.4.2 when released
  • If an upgrade is not possible, disable or remove any functionality that accepts user supplied input that is reflected back without proper encoding
  • Configure a Web Application Firewall to filter outbound data for unescaped script or malicious HTML fragments

Generated by OpenCVE AI on April 28, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS.This issue affects TableOn: from n/a through <= 1.0.4.2.
Title WordPress TableOn plugin <= 1.0.4.2 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:37.549Z

Reserved: 2025-12-31T20:12:13.401Z

Link: CVE-2025-69316

cve-icon Vulnrichment

Updated: 2026-01-23T21:16:03.915Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:27.333

Modified: 2026-04-27T21:16:23.773

Link: CVE-2025-69316

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses