The Smart Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and includ

WORDPRESS

08-09-2025 14:47

CVE-2025-9126 Vulnerabilidad documentada

6.4 MEDIUM

Tags

#wordpress

#site

#plugin

#cross

#web

#cross-site

#cross-site scripting

#attackers

#authenticated

#arbitrary

#vulnerable

#scripting

#inject

#execute

#attack

#access

Descripción

The Smart Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.0.1 due insufficient input sanitization output escaping. This makes it possible authenticated attackers, with Contributor-level access above, inject arbitrary web scripts pages that will execute whenever a user accesses an injected page.

https://github.com/DesignMike/smart-table-builder/commit/c9ca2adbb39fe4543e1eb56fc90cf1aeab558971

https://plugins.trac.wordpress.org/browser/smart-table-builder/trunk/includes/Frontend.php#L28

https://plugins.trac.wordpress.org/changeset/3351768/smart-table-builder/trunk/includes/Frontend.php

https://wordpress.org/plugins/smart-table-builder/#developers

https://www.wordfence.com/threat-intel/vulnerabilities/id/44e68e0c-1b21-411b-9ff7-6b6affc5988e?source=cve

Referencia

Link externo

Ver detalles

Fuente

https://nvd.nist.gov/vuln/detail/CVE-2025-9126

Resultados similares

Coincidentes en almenos en 50% de los tags

09-09-2025 CVE-2025-10134
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary fil...
Ver información

09-09-2025 CVE-2025-9542
The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in...
Ver información