WordPress Plugin Vulnerabilities

WP Table Builder < 1.4.7 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape some of parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

Affects Plugins

Plugin icon
wp-table-builder
Fixed in 1.4.7

References

CVE
CVE-2022-46852

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
Muhammad Daffa
Verified
No
WPVDB ID
6c7768aa-a9c8-4667-82f0-8e6351d7e4ee

Timeline

Publicly Published
2023-02-20 (about 3 years ago)
Added
2023-05-04 (about 3 years ago)
Last Updated
2023-05-04 (about 3 years ago)

Other

Published
Title
Published
2024-07-16
Title
easy-table-of-contents < 2.0.68 - Editor+ Stored XSS
Published
2025-07-17
Title
Universal Video Player - Addon for WPBakery Page Builder < 3.2.2.0 - Reflected Cross-Site Scripting
Published
2023-10-25
Title
WP Simple HTML Sitemap < 2.3 - Reflected XSS
Published
2024-06-06
Title
Photo Gallery by 10Web – Mobile-Friendly Image Gallery < 1.8.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Zipped SVG
Published
2025-04-17
Title
Payment Form for PayPal Pro < 1.1.73 - Authenticated (Administrator+) Stored Cross-Site Scripting