The TablePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘shortcode_debug’ parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Metrics
Affected Vendors & Products
References
History
Tue, 02 Sep 2025 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Tablepress
Tablepress tablepress Wordpress Wordpress wordpress |
|
Vendors & Products |
Tablepress
Tablepress tablepress Wordpress Wordpress wordpress |
Tue, 02 Sep 2025 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Sat, 30 Aug 2025 04:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The TablePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘shortcode_debug’ parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |
Title | TablePress <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode_debug Parameter | |
Weaknesses | CWE-79 | |
References |
|
|
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2025-09-02T14:46:54.646Z
Reserved: 2025-08-26T19:06:27.544Z
Link: CVE-2025-9500

Updated: 2025-09-02T14:46:52.180Z

Status : Awaiting Analysis
Published: 2025-08-30T05:15:48.430
Modified: 2025-09-02T15:55:35.520
Link: CVE-2025-9500

No data.

Updated: 2025-09-02T15:23:31Z