CVE-2025-9126

The Smart Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to and including 1.0.1. The vulnerability exists in the render_frontend function, where the 'id' parameter from shortcode attributes is used without proper sanitization or output escaping. The plugin directly outputs the user-supplied value into a `data-table-id attribute of a div element, allowing injection of arbitrary HTML and JavaScript [1][2].

An attacker must have at least Contributor-level access to the WordPress site to exploit this vulnerability. The attacker can inject malicious scripts via the 'id' parameter when creating or editing a table shortcode. The injected script will execute whenever any user (including administrators) visits the page containing the malicious shortcode. No additional authentication or network position is required beyond the contributor account [1].

Successful exploitation allows an authenticated attacker to execute arbitrary web scripts in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information such as cookies and authentication tokens. The impact is limited to stored XSS, meaning the malicious script persists on the page and affects all visitors [1].

The vulnerability has been patched in the commit c9ca2ad, which applies absint() to sanitize the ID and esc_attr() to escape the output in the HTML attribute [2]. Users are strongly advised to update to the latest version of the plugin as soon as a patched release becomes available. No workaround is provided, and the plugin may be removed if an update is not possible.