TablePress Plugin on WordPress Table Import Import data cross site scripting 🚫 [False Positive]

Hi!

This is Tobias, the author and developer of the mentioned TablePress plugin for WordPress.

I have reviewed this submission and come to the conclusion that it is invalid and false.

From the provided screenshots, it’s clear that the reporter is logged in as an Administrator to the WordPress site. As such, he has the "unfiltered_html" capability, which means that he is allowed to add, edit, and import arbitrary HTML and JavaScript content in TablePress and WordPress. This is by design in WordPress.

Unprivileged users, like Authors, do not have this capability and the JavaScript code will be stripped. All this follows the WordPress guidelines, see https://make.wordpress.org/core/handbook/testing/reporting-security-vulnerabilities/#why-are-some-users-allowed-to-post-unfiltered-html

I therefore ask you to remove this false report, as well as the CVE entry that has been opened for this. Thank you.

If there are any questions, please let me know!

Best wishes,
TobiasBg
Author and Developer of TablePress
https://tablepress.org/

Hello,

as you know users with multiple role can be add shortcode for add tablepress in posts
for example author user can import tablepress payload like html value then insert shortcode of that in posts
https://drive.google.com/file/d/1SlJU2ditOt569hSA_TDws93bj5XWPbA-/view?usp=sharing
https://drive.google.com/file/d/1MARrvkstR5hX6Zn-9YdojjOMgJ6vuRjN/view?usp=sharing


Best Regard