{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5096", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-05-22T19:51:40.089Z", "datePublished": "2025-05-23T08:23:39.711Z", "dateUpdated": "2026-04-08T17:24:00.375Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:00.375Z"}, "affected": [{"vendor": "tobiasbg", "product": "TablePress \u2013 Tables in WordPress made easy", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "TablePress <= 3.1.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd2dfa02-0404-4300-a5ed-6326f9df6d30?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tablepress/tags/3.1.2/js/jquery.datatables.min.js"}, {"url": "https://github.com/DataTables/DataTablesSrc/blob/29539c40504365bc4be0599e4b0739cf270a2e09/js/core/core.constructor.js#L329"}, {"url": "https://wordpress.org/plugins/tablepress/#developers"}, {"url": "https://datatables.net/"}, {"url": "https://github.com/DataTables/DataTablesSrc/commit/d278ed307035cb8740d2fad86b7cbb995380f7bb"}, {"url": "https://github.com/DataTables/DataTablesSrc/commit/d558328106bef2d48dfc4cf78581dd106f5c1077"}, {"url": "https://plugins.trac.wordpress.org/changeset/3298453/tablepress"}, {"url": "https://tablepress.org/release-announcement-tablepress-3-1-3/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-05-22T19:56:52.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-23T12:33:31.851669Z", "id": "CVE-2025-5096", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-23T12:33:43.637Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5096", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-05-23T12:33:31.851669Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-23T12:33:37.474Z"}}], "cna": {"title": "TablePress <= 3.1.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "tobiasbg", "product": "TablePress \u2013 Tables in WordPress made easy", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-22T19:56:52.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd2dfa02-0404-4300-a5ed-6326f9df6d30?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tablepress/tags/3.1.2/js/jquery.datatables.min.js"}, {"url": "https://github.com/DataTables/DataTablesSrc/blob/29539c40504365bc4be0599e4b0739cf270a2e09/js/core/core.constructor.js#L329"}, {"url": "https://wordpress.org/plugins/tablepress/#developers"}, {"url": "https://datatables.net/"}, {"url": "https://github.com/DataTables/DataTablesSrc/commit/d278ed307035cb8740d2fad86b7cbb995380f7bb"}, {"url": "https://github.com/DataTables/DataTablesSrc/commit/d558328106bef2d48dfc4cf78581dd106f5c1077"}, {"url": "https://plugins.trac.wordpress.org/changeset/3298453/tablepress"}, {"url": "https://tablepress.org/release-announcement-tablepress-3-1-3/"}], "descriptions": [{"lang": "en", "value": "The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:00.375Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5096", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:00.375Z", "dateReserved": "2025-05-22T19:51:40.089Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-05-23T08:23:39.711Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tablepress:tablepress:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "58F71A05-5C5B-4E84-928C-C12AE1D5023F", "versionEndExcluding": "3.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento TablePress para WordPress es vulnerable a Cross-Site Scripting Almacenado basadas en DOM a trav\u00e9s de los atributos de datos 'data-caption', 'data-s-content-padding', 'data-s-title' y 'data-footer' en todas las versiones hasta la 3.1.2 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5096", "lastModified": "2025-07-11T19:41:21.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-05-23T09:15:21.710", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://datatables.net/"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://github.com/DataTables/DataTablesSrc/blob/29539c40504365bc4be0599e4b0739cf270a2e09/js/core/core.constructor.js#L329"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://github.com/DataTables/DataTablesSrc/commit/d278ed307035cb8740d2fad86b7cbb995380f7bb"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://github.com/DataTables/DataTablesSrc/commit/d558328106bef2d48dfc4cf78581dd106f5c1077"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/tablepress/tags/3.1.2/js/jquery.datatables.min.js"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3298453/tablepress"}, {"source": "security@wordfence.com", "tags": ["Release Notes"], "url": "https://tablepress.org/release-announcement-tablepress-3-1-3/"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://wordpress.org/plugins/tablepress/#developers"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd2dfa02-0404-4300-a5ed-6326f9df6d30?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T22:46:40.769587+00:00", "value": {"mitigation_remediation": ["Upgrade TablePress to version\u202f3.1.3 or later.", "If an upgrade is not immediately possible, remove or disable the affected tables that contain injected data to stop script execution.", "Restrict Contributor\u2011level access on the WordPress site or temporarily change contributor users to a lower role until the plugin is updated."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting (DOM\u2011based)"}, "threat_synthesis": {"affected_systems": "The flaw affects the TablePress plugin for WordPress, any installation of TablePress version 3.1.2 or earlier. The affected product is the \"TablePress \u2013 Tables in WordPress made easy\" plugin available through the WordPress plugin repository. No other vendors or products are listed.", "description_and_impact": "This flaw allows an injected script via data\u2011attributes in TablePress to run automatically whenever a page with the affected table is displayed. The vulnerability arises from insufficient sanitisation of the data\u2011caption, data\u2011s\u2011content\u2011padding, data\u2011s\u2011title and data\u2011footer attributes, which are stored server\u2011side and rendered on the client. An attacker who can create or edit a table with Contributor\u2011level or higher access can place malicious code; any user who views the injected page will have the script execute, potentially enabling session hijacking, defacement, or other client\u2011side attacks. The weakness is classified as CWE\u201179, a classic DOM\u2011based stored cross\u2011site scripting issue.", "risk_and_exploitability": "The CVSS score is 6.4, indicating a medium\u2011severity vulnerability. The EPSS score is below 1\u202f%, which suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Exploitability requires an attacker to authenticate to the WordPress site with Contributor\u2011level or higher access to create or edit tables. Once the malicious payload is stored in the data\u2011attributes, any visitor to the page will trigger the script; thus the risk is tied to sites that allow contributions and do not sanitize the attributes. The attack vector is therefore authenticated, role\u2011based, and the vulnerability can be leveraged to affect all users who access the impacted page."}}}}, "created": "2026-04-20T23:00:14.116094+00:00", "updated": "2026-04-20T23:00:14.116106+00:00", "vendors": []}