CVE-2025-1065 in Tables and Charts Manager Plugin
Summary
by MITRE • 02/19/2025
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Import Data From File feature in all versions up to, and including, 3.11.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/19/2025
The vulnerability identified as CVE-2025-1065 affects the Visualizer: Tables and Charts Manager plugin for WordPress, a widely used tool for creating and managing data visualizations within WordPress environments. This plugin enables users to import data from various file formats and generate interactive charts and tables. The flaw resides specifically within the Import Data From File functionality, which processes user-supplied data without adequate sanitization measures. Security researchers have determined that all versions of this plugin up to and including 3.11.8 are affected by this vulnerability, making it a critical concern for WordPress site administrators who rely on this plugin for their data visualization needs.
The technical implementation of this vulnerability stems from insufficient input sanitization and output escaping mechanisms within the plugin's data import process. When administrators or users with contributor-level access and above upload data files through the import feature, the plugin fails to properly validate or sanitize the attributes contained within these files. This lack of proper sanitization creates a persistent cross-site scripting vector where malicious scripts can be stored within the plugin's data handling system. The vulnerability is classified as stored XSS because the injected scripts are not merely reflected in responses but are permanently stored within the plugin's data structures, making them persistent threats that execute whenever affected pages are accessed.
The operational impact of this vulnerability is significant for WordPress environments utilizing the affected plugin. Attackers with contributor-level privileges or higher can leverage this weakness to inject malicious JavaScript code that executes in the context of other users' browsers when they access pages containing the compromised data. This creates a potential for various malicious activities including session hijacking, credential theft, data exfiltration, and redirection to malicious websites. The vulnerability particularly concerns organizations that use the plugin for sharing sensitive data or that have multiple users with contributor access levels, as it provides a pathway for attackers to escalate their privileges and compromise the entire WordPress installation.
The vulnerability aligns with CWE-79 which describes Cross-Site Scripting flaws resulting from insufficient output escaping and inadequate input validation. From an adversarial perspective, this weakness maps to several ATT&CK techniques including T1059.007 for command and scripting interpreter, T1566 for phishing with malicious attachments, and T1071.001 for application layer protocol. Organizations should immediately update to the latest version of the Visualizer plugin where this vulnerability has been patched, implement proper access controls to limit contributor-level privileges, and conduct thorough security audits of imported data files. Additionally, network monitoring should be enhanced to detect suspicious script injections, and regular security assessments should include verification of plugin integrity and proper sanitization of user inputs to prevent similar vulnerabilities from persisting in other WordPress components.