Description
The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'class', 'help_link', 'popup_title', and 'help_title'. The do_shortcode_button() function extracts these attributes without sanitization and passes them to TABLEON_HELPER::draw_html_item(), which concatenates attribute values into HTML using single quotes without escaping (line 29: $item .= " {$key}='{$value}'"). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-04-08
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via the shortcode’s class attribute allows an authenticated user to inject and execute arbitrary client‑side scripts on every page that loads the shortcode
Action: Update Plugin
AI Analysis

Impact

This vulnerability stems from inadequate sanitization of the tableon_button shortcode attributes, notably class, help_link, popup_title and help_title. An attacker with Contributor or higher privileges can craft a malicious value for the class attribute, which the plugin concatenates into the HTML output without escaping. The result is stored XSS; when any user visits a page containing the injected shortcode, the malicious script runs in that user’s browser, potentially leading to defacement, session hijacking, or the delivery of phishing payloads. This attack does not compromise the server directly but can compromise the confidentiality, integrity, and authenticity of all site users who access the affected pages.

Affected Systems

The flaw affects the TableOn – WordPress Posts Table Filterable plugin for WordPress, versions up to and including 1.0.4.4. Any WordPress site running this plugin version and granting Contributor or higher roles to users is susceptible.

Risk and Exploitability

The CVSS score of 6.4 reflects a moderate impact, and the EPSS score is not available, so the probability of exploitation in the wild is unclear. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and the only identified vector is through authenticated users who can insert the shortened code. If such users are present on the site, the risk remains present until the plugin is upgraded or the usage of the affected shortcode is removed.

Generated by OpenCVE AI on April 8, 2026 at 05:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the TableOn plugin (1.0.5 or newer) that corrects the sanitization of shortcode attributes.
  • If an update is not immediately possible, remove or disable the vulnerable shortcode from your posts and pages, or uninstall the plugin entirely until a fix is released.
  • Restrict Contributor or higher roles to trusted users only, or consider additional role‑management controls to prevent unauthorized content injection.
  • Conduct a scan of your site’s content for injected scripts and cleanse any instances found.
  • Keep an eye on the vendor’s repository or WordPress plugin directory for a patch and test it in a staging environment before deploying it to production.

Generated by OpenCVE AI on April 8, 2026 at 05:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Realmag777
Realmag777 tableon – Wordpress Posts Table Filterable
Wordpress
Wordpress wordpress
Vendors & Products Realmag777
Realmag777 tableon – Wordpress Posts Table Filterable
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'class', 'help_link', 'popup_title', and 'help_title'. The do_shortcode_button() function extracts these attributes without sanitization and passes them to TABLEON_HELPER::draw_html_item(), which concatenates attribute values into HTML using single quotes without escaping (line 29: $item .= " {$key}='{$value}'"). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title TableOn – WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Realmag777 Tableon – Wordpress Posts Table Filterable
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:27.588Z

Reserved: 2026-03-04T14:58:56.897Z

Link: CVE-2026-3513

cve-icon Vulnrichment

Updated: 2026-04-08T15:56:48.949Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T05:16:05.790

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-3513

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:22:23Z

Weaknesses