CVE-2026-15301 in TableSearch Plugin
Summary
by MITRE • 07/10/2026
The BuddyHolis TableSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The BuddyHolis TableSearch plugin for WordPress presents a significant security vulnerability classified as stored cross-site scripting that affects all versions up to and including 1.1.0. This flaw resides within the plugin's handling of the 'placeholder' parameter, where inadequate input sanitization and output escaping mechanisms fail to properly validate or encode user-supplied data before it is stored and subsequently rendered in web pages. The vulnerability operates under the Common Weakness Enumeration framework as CWE-79, which specifically addresses cross-site scripting flaws that occur when untrusted data is embedded into web pages without proper validation or encoding.
Attackers with Contributor-level access or higher can exploit this weakness by crafting malicious payloads within the placeholder parameter during plugin configuration or data entry processes. Once these malicious scripts are stored in the application's database, they become persistent and execute automatically whenever any user accesses pages containing the injected content. This creates a particularly dangerous scenario where authenticated users who may not be directly targeted can unknowingly become victims of the stored XSS attack, as the malicious code executes in their browser context without their knowledge.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with potential access to sensitive user data and session information. The stored nature of the vulnerability means that even users who do not actively interact with the compromised plugin interface can be affected, creating a broader attack surface than typical reflected XSS scenarios. This weakness particularly undermines the principle of least privilege in WordPress environments where contributors typically have limited capabilities but can now leverage this vulnerability to compromise other users' sessions or extract sensitive information from authenticated browsing contexts.
Mitigation strategies should focus on immediate remediation through plugin updates to versions that properly sanitize and escape all user inputs, specifically addressing the placeholder parameter handling. Security administrators should implement input validation mechanisms that reject potentially malicious content patterns and employ output encoding techniques that prevent script execution in web contexts. Additionally, privilege review processes should be enhanced to minimize the risk of contributor-level accounts being used for such attacks, while implementing Content Security Policy headers that can further mitigate the impact of successful XSS exploitation attempts. The vulnerability demonstrates the critical importance of proper input validation and output escaping practices as outlined in the OWASP Top Ten security principles and aligns with ATT&CK framework techniques related to credential access and execution through web application vulnerabilities.