The plugin does not sanitise and escape some of its Table settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)
Create/edit a table, go to its settings, enabled the Signature (in Main Settings tab) and put the following payload in the Signature Text textarea: <svg/onload=alert(/XSS/)> The XSS will be triggered in a page/post where the table is embed
iohex
iohex
Yes
2022-06-22 (about 1 years ago)
2022-06-22 (about 1 years ago)
2023-03-29 (about 5 months ago)