{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10053", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-05T19:20:46.665Z", "datePublished": "2025-10-03T11:17:15.574Z", "dateUpdated": "2026-04-08T17:05:54.828Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:54.828Z"}, "affected": [{"vendor": "exlac", "product": "TableGen \u2013 Data Table Generator", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The TableGen \u2013 Data Table Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "TableGen \u2013 Data Table Generator <= 1.3.1 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8bea21d9-26d1-49a5-a130-26d99818d4d3?source=cve"}, {"url": "https://wordpress.org/plugins/table-creator/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-02T22:33:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-03T18:12:10.523270Z", "id": "CVE-2025-10053", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:12:21.209Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10053", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-03T18:12:10.523270Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-03T18:12:16.710Z"}}], "cna": {"title": "TableGen \u2013 Data Table Generator <= 1.3.1 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "exlac", "product": "TableGen \u2013 Data Table Generator", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-02T22:33:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8bea21d9-26d1-49a5-a130-26d99818d4d3?source=cve"}, {"url": "https://wordpress.org/plugins/table-creator/"}], "descriptions": [{"lang": "en", "value": "The TableGen \u2013 Data Table Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:54.828Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10053", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:54.828Z", "dateReserved": "2025-09-05T19:20:46.665Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-03T11:17:15.574Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The TableGen \u2013 Data Table Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-10053", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-03T12:15:41.550", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/table-creator/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8bea21d9-26d1-49a5-a130-26d99818d4d3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T14:12:51.999761+00:00", "value": {"mitigation_remediation": ["Update or upgrade the TableGen \u2013 Data Table Generator plugin to the latest version that removes the XSS bug", "If an update is not immediately available, disable or remove the plugin from multisite installations where it is not required", "Restrict the unfiltered_html capability to a minimal set of trusted users and enforce strong authentication for administrator accounts"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the TableGen \u2013 Data Table Generator plugin version 1.3.1 or earlier, on multisite installations where the unfiltered_html capability is disabled. Only administrators or accounts with equivalent permissions can exploit the flaw.", "description_and_impact": "The vulnerability is a Stored Cross\u2011Site Scripting flaw that allows an attacker with administrator or higher privileges to inject malicious JavaScript into the plugin\u2019s admin settings. The injected script is stored and served to any user who views the affected page, giving the attacker the ability to steal session cookies, deface content, or perform other client\u2011side attacks. The weakness is a classic input\u2011validation and output\u2011encoding failure, identified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 4.4 indicates low severity. The EPSS score of less than 1% suggests the likelihood of exploitation is very low, and the vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access as an administrator, so the practical risk is limited to sites with weak role assignments or poorly secured admin accounts, but successful exploitation would compromise the confidentiality, integrity, and availability of end\u2011user sessions."}}}}, "created": "2025-10-06T14:43:01.326809+00:00", "updated": "2026-04-22T14:15:20.427239+00:00", "vendors": ["exlac", "exlac$PRODUCT$tablegen", "wordpress", "wordpress$PRODUCT$wordpress"]}