CVE-2025-55711

Vulnerability

Description The WP Table Builder plugin for WordPress suffers from improper neutralization of user-supplied input during web page generation, enabling stored cross-site scripting (XSS). This flaw affects all versions up to and including 2.0.12. The root cause is insufficient sanitization or escaping of input that is subsequently rendered as HTML or JavaScript in the context of a visitor's browser [1].

Exploitation

Conditions To exploit this vulnerability, an attacker must be a privileged user—at minimum a Contributor role—within the WordPress site. The attack does not require any special network access or authentication bypass; it relies on the attacker's ability to create or modify table content via the plugin's interface. Successful exploitation requires that the attacker submits a crafted payload that, when stored, will later be rendered without proper neutralization. User interaction is not required from the victim; the script executes automatically when any site visitor loads the compromised page [1].

Impact

If exploited, an attacker can inject arbitrary HTML and JavaScript into the vulnerable web pages. This can lead to a range of malicious activities, including redirecting visitors to attacker-controlled sites, displaying unwanted advertisements, stealing sensitive session tokens or cookies, and defacing the website. The injected script runs in the security context of the affected domain, potentially affecting any user who views the page [1].

Mitigation

The vendor has released version 2.0.13 of the WP Table Builder plugin, which resolves this XSS vulnerability by properly sanitizing and escaping user input. All site administrators are strongly advised to update the plugin immediately. For those using Patchstack, enabling automatic updates for vulnerable plugins is a recommended precaution. The vulnerability has a CVSS v3 score of 6.5 (Medium) and is known to be of interest for mass-exploit campaigns, underscoring the importance of prompt patching [1].