WordPress Plugin Vulnerabilities

FlexTable Google Sheets Connector < 3.19.2 - Admin+ Stored XSS

Description

The plugin does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

Proof of Concept

Affects Plugins

Plugin icon
sheets-to-wp-table-live-sync
Fixed in 3.19.2

References

CVE
CVE-2025-9543

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
3.5 (low)

Miscellaneous

Original Researcher
Nguyễn Phước Thiện
Submitter
Nguyễn Phước Thiện
Submitter twitter
phuocthien7733
Verified
Yes
WPVDB ID
6cc212f4-aa61-409a-b257-9c920956a401

Timeline

Publicly Published
2025-12-15 (about 23 days ago)
Added
2025-12-15 (about 22 days ago)
Last Updated
2025-12-15 (about 22 days ago)

Other

Published
Title
Published
2022-05-10
Title
Quotes llama < 1.0.0 - Admin+ Stored Cross-Site Scripting
Published
2025-03-02
Title
Slider, Gallery, Carousel by MetaSlider < 3.95.0 - Editor+ Stored XSS
Published
2024-10-29
Title
MailPoet < 5.3.2 - Admin+ Stored XSS
Published
2019-12-26
Title
WP Accessibility < 1.7.0 - Minor Authenticated Stored XSS in custom CSS
Published
2025-01-16
Title
Unique UX <= 0.9.2 - Reflected Cross-Site Scripting