AP Pricing Tables Lite < 1.1.5 - Reflected Cross-Site Scripting
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The Pricing Table Builder WordPress plugin before 1.1.5 does not sanitize and escape the postid parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <1.1.5
Patches
Vulnerability mechanics
Root cause
"Missing sanitization and escaping of the postid parameter before it is output in an admin page."
Attack vector
An attacker can craft a malicious URL containing a `postid` parameter with embedded JavaScript payload. When a logged-in administrator visits this crafted URL, the unsanitized `postid` value is reflected back into the admin page and executed by the browser [ref_id=1]. This is a reflected cross-site scripting (XSS) attack that requires the victim to click the attacker's link [CWE-79]. No authentication is needed to deliver the link, but the victim must have admin access to the WordPress admin area for the vulnerable page to render.
Affected code
The vulnerability is in the AP Pricing Tables Lite WordPress plugin (slug: ap-pricing-tables-lite). The plugin fails to sanitize and escape the `postid` parameter before outputting it back in an admin page [ref_id=1]. The specific file path is not detailed in the advisory, but the fix was committed in changeset 2684253 on the WordPress plugin Trac [ref_id=1].
What the fix does
The advisory states the fix was applied in version 1.1.5 of the plugin [ref_id=1]. The patch (available in the WordPress Trac changeset 2684253) adds proper sanitization and escaping to the `postid` parameter before it is output in the admin page [ref_id=1]. This prevents injected HTML or JavaScript from being interpreted by the browser, closing the reflected XSS vector.
Preconditions
- authThe victim must be logged in as an administrator to the WordPress admin area.
- inputThe attacker must trick the victim into clicking a crafted URL with a malicious postid parameter.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- plugins.trac.wordpress.org/changeset/2684253mitrex_refsource_CONFIRM
- wpscan.com/vulnerability/f8405e06-9cf3-4acb-aebb-e80fb402daa9mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.