{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13753", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-26T18:34:46.579Z", "datePublished": "2026-01-09T07:22:12.280Z", "dateUpdated": "2026-04-14T15:56:21.107Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:09.184Z"}, "affected": [{"vendor": "wptb", "product": "WP Table Builder \u2013 Drag & Drop Table Builder", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.19", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WP Table Builder \u2013 Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts."}], "title": "WP Table Builder <= 2.0.19 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95f49080-2263-4f6d-9372-30137efd8e10?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3432381/wp-table-builder"}, {"url": "https://research.cleantalk.org/cve-2025-13753/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-12-01T18:20:23.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-08T18:58:47.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"references": [{"url": "https://research.cleantalk.org/cve-2025-13753/", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:56:06.703666Z", "id": "CVE-2025-13753", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:56:21.107Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13753", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T15:56:06.703666Z"}}}], "references": [{"url": "https://research.cleantalk.org/cve-2025-13753/", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T18:09:41.202Z"}}], "cna": {"title": "WP Table Builder <= 2.0.19 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wptb", "product": "WP Table Builder \u2013 Drag & Drop Table Builder", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.19"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-01T18:20:23.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-08T18:58:47.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95f49080-2263-4f6d-9372-30137efd8e10?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3432381/wp-table-builder"}, {"url": "https://research.cleantalk.org/cve-2025-13753/"}], "descriptions": [{"lang": "en", "value": "The WP Table Builder \u2013 Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:10:09.184Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13753", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:56:21.107Z", "dateReserved": "2025-11-26T18:34:46.579Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T07:22:12.280Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The WP Table Builder \u2013 Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts."}, {"lang": "es", "value": "El plugin WP Table Builder \u2013 Drag &amp; Drop Table Builder para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de autorizaci\u00f3n incorrecta en la funci\u00f3n save_table() en todas las versiones hasta la 2.0.19, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, creen nuevas entradas wptb-table."}], "id": "CVE-2025-13753", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T08:15:56.833", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3432381/wp-table-builder"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-13753/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95f49080-2263-4f6d-9372-30137efd8e10?source=cve"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://research.cleantalk.org/cve-2025-13753/"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T15:58:52.493391+00:00", "value": {"mitigation_remediation": ["Update WP Table Builder to version 2.0.20 or later, ensuring the authorization check is fixed.", "If an immediate upgrade is not possible, remove the plugin or disable its table\u2011creation capability for Subscriber users, for example by adjusting user capabilities or applying a temporary code snippet.", "Consider reviewing and tightening role assignments on the site so that only trusted users have Subscriber or higher privileges, reducing the potential impact window."], "summary": {"action": "Patch Immediately", "impact": "Arbitrary Table Creation by Subscriber or higher"}, "threat_synthesis": {"affected_systems": "All installations of WP Table Builder versions up to and including 2.0.19 are affected. The plugin is distributed for WordPress and is applied as a standard plugin, meaning any WordPress site that has installed this plugin and has users with Subscriber\u2011level access is potentially impacted.", "description_and_impact": "The WP Table Builder \u2013 Drag & Drop Table Builder plugin for WordPress contains an incorrect authorization check in its save_table() function. This flaw allows any authenticated user with a Subscriber role or higher to create new wptb-table posts, effectively granting them the ability to add arbitrary tables to the site. The vulnerability is a weak point in role\u2011based access control (CWE\u2011863) and can be used to bypass intended restrictions on table creation. While it does not provide direct code execution, the attacker can manipulate site content and potentially disrupt normal operation.", "risk_and_exploitability": "The CVSS score of 4.3 indicates low to moderate severity, and the EPSS score of <1% shows a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, suggesting it is not a known, widely used exploit. The attack requires only authenticated access with Subscriber or higher privileges, which are commonly granted on many sites. Because the vulnerability permits arbitrary table creation but does not enable further privileges or code execution, the overall risk remains low, though it still allows content injection that could be used for social engineering or site disruption."}}}}, "created": "2026-01-09T13:24:03.236359+00:00", "updated": "2026-04-20T16:00:10.650220+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wptb", "wptb$PRODUCT$wp_table_builder"]}