CVE-2025-5096
📋 TL;DR
The TablePress WordPress plugin has a DOM-based stored XSS vulnerability in versions up to 3.1.2. Authenticated attackers with Contributor access or higher can inject malicious scripts via specific data-attributes, which execute when users view affected pages. This affects all WordPress sites using vulnerable TablePress versions.
💻 Affected Systems
- TablePress WordPress Plugin
📦 What is this software?
Tablepress by Tablepress
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal session cookies or redirect users to phishing pages.
If Mitigated
With proper input validation and output escaping, scripts are neutralized and rendered harmless as text.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.1.3 or later
Vendor Advisory: https://wordpress.org/plugins/tablepress/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find TablePress and click 'Update Now'. 4. Verify update to version 3.1.3 or higher.
🔧 Temporary Workarounds
Remove Contributor Access
allTemporarily restrict contributor-level access until patching is complete
Disable TablePress Plugin
allDeactivate the plugin if not essential for site functionality
🧯 If You Can't Patch
- Implement strict user role management and review all contributor accounts
- Deploy web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > TablePress version numberCheck Version:
wp plugin list --name=tablepress --field=versionVerify Fix Applied:
Confirm TablePress version is 3.1.3 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to TablePress endpoints with script-like content in data-attributes
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Outbound connections to suspicious domains from WordPress server
- Unexpected JavaScript payloads in HTTP responses
SIEM Query:
source="wordpress.log" AND ("tablepress" AND ("data-caption" OR "data-s-content-padding" OR "data-s-title" OR "data-footer") AND script_patterns)🔗 References
- https://datatables.net/
- https://github.com/DataTables/DataTablesSrc/blob/29539c40504365bc4be0599e4b0739cf270a2e09/js/core/core.constructor.js#L329
- https://github.com/DataTables/DataTablesSrc/commit/d278ed307035cb8740d2fad86b7cbb995380f7bb
- https://github.com/DataTables/DataTablesSrc/commit/d558328106bef2d48dfc4cf78581dd106f5c1077
- https://plugins.trac.wordpress.org/browser/tablepress/tags/3.1.2/js/jquery.datatables.min.js
- https://plugins.trac.wordpress.org/changeset/3298453/tablepress
- https://tablepress.org/release-announcement-tablepress-3-1-3/
- https://wordpress.org/plugins/tablepress/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cd2dfa02-0404-4300-a5ed-6326f9df6d30?source=cve
