Description
The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wptb shortcode in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-08-15
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site Scripting leading to arbitrary script execution on pages
Action: Immediate patch
AI Analysis

Impact

The vulnerability arises because the plugin’s wptb shortcode does not sanitize or escape user‑supplied attributes. This omission allows authenticated users with contributor‑level access to embed JavaScript code that is persisted in the database and executed whenever any user views a page containing the shortcode. The stored cross‑site scripting flaw is a classic example of CWE‑79 and can be used to deface content, steal credentials, or inject malware.

Affected Systems

All WordPress installations that have the WP Table Builder – Drag & Drop Table Builder plugin installed in versions 2.0.12 or earlier are impacted. Users with contributor privilege or higher can exploit the issue. No other versions are known to be affected.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score of less than 1% suggests exploitation is unlikely but not impossible. Because the flaw requires authenticated access with contributor role, the threat is limited to sites with users that can edit tables, yet the impact once exploited can affect all visitors. The vulnerability is not listed in the CISA KEV catalog, so no publicly known exploits are reported at this time.

Generated by OpenCVE AI on April 20, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Table Builder to version 2.0.13 or later
  • Remove or deactivate the plugin on sites that cannot be upgraded immediately
  • Remove any malicious scripts that may already be stored in the tables and perform a site‑wide scan

Generated by OpenCVE AI on April 20, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24988 The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wptb shortcode in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 15 Aug 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 Aug 2025 07:45:00 +0000

Type Values Removed Values Added
Description The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wptb shortcode in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WP Table Builder – WordPress Table Plugin <= 2.0.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:14:49.796Z

Reserved: 2025-08-05T17:49:52.145Z

Link: CVE-2025-8604

cve-icon Vulnrichment

Updated: 2025-08-15T16:34:28.798Z

cve-icon NVD

Status : Deferred

Published: 2025-08-15T08:15:26.623

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8604

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses