CVE-2025-13753
📋 TL;DR
The WP Table Builder WordPress plugin has an authorization flaw that allows authenticated users with Subscriber-level access or higher to create unauthorized table posts. This vulnerability affects all plugin versions up to 2.0.19. Attackers can exploit this to inject malicious content or disrupt website functionality.
💻 Affected Systems
- WP Table Builder – Drag & Drop Table Builder WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers create malicious tables containing JavaScript payloads that execute when viewed, potentially leading to site defacement, credential theft, or malware distribution to visitors.
Likely Case
Low-privilege users create unauthorized table content, disrupting site integrity and potentially inserting spam or inappropriate material.
If Mitigated
With proper access controls and monitoring, impact is limited to minor content pollution that can be quickly cleaned up.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.20
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3432381/wp-table-builder
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find WP Table Builder. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.0.20+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate wp-table-builder
Restrict User Registration
allTemporarily disable new user registration to prevent attacker account creation
Update WordPress Settings > General > Membership to uncheck 'Anyone can register'
🧯 If You Can't Patch
- Remove Subscriber role from all non-trusted users
- Implement web application firewall rules to block suspicious POST requests to table builder endpoints
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 2.0.19 or lower, system is vulnerable.Check Version:
wp plugin get wp-table-builder --field=versionVerify Fix Applied:
Confirm plugin version is 2.0.20 or higher after update. Test with Subscriber account that table creation is properly restricted.📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=wptb_save_table from low-privilege users
- Unexpected wptb-table post creations in WordPress logs
Network Indicators:
- POST requests containing wptb_save_table action from non-admin IP addresses
SIEM Query:
source="wordpress.log" AND "wptb_save_table" AND (user_role="subscriber" OR user_role="contributor")