WordPress Plugin Vulnerabilities

WP Table Builder < 2.0.20 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation

Description

The WP Table Builder – Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts.

Affects Plugins

Plugin icon
wp-table-builder
Fixed in 2.0.20

References

CVE
CVE-2025-13753
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/95f49080-2263-4f6d-9372-30137efd8e10

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
8109e908-7535-4816-9a62-8f096bbb3823

Timeline

Publicly Published
2026-01-08 (about 4 months ago)
Added
2026-01-08 (about 4 months ago)
Last Updated
2026-03-13 (about 1 month ago)

Other

Published
Title
Published
2021-11-09
Title
Get Custom Field Values < 4.0 - Contributors+ Arbitrary Post Metadata Access
Published
2022-05-09
Title
Change wp-admin Login < 1.1.0 - Unauthenticated Arbitrary Settings Update
Published
2022-11-14
Title
Transposh WordPress Translation <= 1.0.8 - Settings Update via Authorization Bypass
Published
2024-04-05
Title
PostX – Gutenberg Blocks for Post Grid < 3.2.4 - Incorrect Authorization
Published
2021-09-29
Title
Stylish Price List < 6.9.0 - Unauthenticated Arbitrary Image Upload