Login Sign Up

CVE-2025-9543

3.5 LOW
Cross-Site Scripting

📋 TL;DR

The FlexTable WordPress plugin before version 3.19.2 has a stored cross-site scripting (XSS) vulnerability in Google Sheet import functionality. High-privilege users like administrators can inject malicious scripts that execute when other users view affected content, even when unfiltered_html capability is restricted. This affects WordPress sites using vulnerable FlexTable plugin versions, particularly in multisite configurations.

💻 Affected Systems

Products:
  • FlexTable WordPress Plugin
Versions: All versions before 3.19.2
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires high-privilege user (admin or editor) to import malicious Google Sheet content. Particularly relevant in WordPress multisite setups where unfiltered_html is restricted.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors

🟠

Likely Case

Privilege escalation within WordPress, session hijacking, or defacement of affected pages

🟢

If Mitigated

Limited impact if only trusted administrators have access and proper input validation is implemented

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires administrative access to WordPress. Attack involves importing malicious Google Sheet content containing JavaScript payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.19.2

Vendor Advisory: https://wpscan.com/vulnerability/6cc212f4-aa61-409a-b257-9c920956a401/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find FlexTable plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.19.2+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Restrict Google Sheet Import Access

all

Limit plugin import functionality to only trusted administrators

Disable FlexTable Plugin

linux

Temporarily disable plugin until patched

wp plugin deactivate flextable

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
  • Audit and monitor administrator accounts for suspicious Google Sheet import activities

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → FlexTable → Version. If version is below 3.19.2, system is vulnerable.

Check Version:

wp plugin get flextable --field=version

Verify Fix Applied:

Confirm FlexTable plugin version is 3.19.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Google Sheet import activities by admin users
  • Multiple failed import attempts

Network Indicators:

  • Unexpected outbound connections from WordPress to external domains after imports

SIEM Query:

source="wordpress" AND (event="plugin_activation" OR event="import_action") AND plugin="flextable"

📊 Metadata

CVE ID: CVE-2025-9543
CVSS v3 Score: 3.5 (LOW)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
EPSS Score: 0.03% exploit probability (8.6th percentile)
Published: January 5, 2026
Last Updated: January 8, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON