CVE-2025-10053
📋 TL;DR
The TableGen WordPress plugin has a stored XSS vulnerability that allows authenticated administrators to inject malicious scripts into admin settings pages. These scripts execute when other users view those pages, potentially compromising their accounts. This only affects WordPress multisite installations or sites where unfiltered_html capability is disabled.
💻 Affected Systems
- TableGen - Data Table Generator WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.
Likely Case
Privilege escalation where lower-privileged users get malicious scripts executed in their sessions, potentially stealing session cookies or performing actions on their behalf.
If Mitigated
Limited impact due to requiring admin credentials and specific WordPress configurations.
🎯 Exploit Status
Requires administrator-level WordPress credentials and specific WordPress configuration conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.2 or later
Vendor Advisory: https://wordpress.org/plugins/table-creator/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'TableGen - Data Table Generator'. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the TableGen plugin until patched
wp plugin deactivate table-creator
Enable unfiltered_html for admins
allEnable unfiltered_html capability for administrator roles (not recommended for security)
🧯 If You Can't Patch
- Restrict administrator accounts to trusted personnel only
- Implement web application firewall rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → TableGen version. If version is 1.3.1 or earlier and you have multisite OR unfiltered_html disabled, you are vulnerable.Check Version:
wp plugin get table-creator --field=versionVerify Fix Applied:
Verify plugin version is 1.3.2 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual admin setting modifications
- JavaScript payloads in plugin settings fields
Network Indicators:
- Unexpected script tags in admin page responses
SIEM Query:
source="wordpress" AND ("tablegen" OR "table-creator") AND ("admin" OR "settings") AND ("script" OR "javascript")