WP Table Builder – WordPress Table Plugin < 1.4.15 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2024-4700 | Plugin Vulnerabilities

Description

The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button element in all versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, this can only be exploited by administrators, but the ability to use and configure WP Table Builder can be extended to contributors.

Affects Plugins

wp-table-builder

Fixed in 1.4.15

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/20cd08ac-826f-40dd-804a-546b0c334b66

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Tim Coen

Verified

No

WPVDB ID

89dd6488-cc93-4c69-a506-d06889b8d435

Timeline

Publicly Published

2024-05-20 (about 1 year ago)

Added

2024-05-20 (about 1 year ago)

Last Updated

2024-05-21 (about 1 year ago)

Other

Published

Title

Published

2025-01-21

Title

Zarinpal Paid Downloads <= 2.3 - Reflected XSS

Published

2024-10-31

Title

WP Feature Box <= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-08-27

Title

Beaver Builder Plugin (Lite Version) < 2.9.3.1 - Reflected Cross-Site Scripting

Published

2025-01-18

Title

UltraLight <= 1.2 - Reflected Cross-Site Scripting

Published

2015-04-20

Title

Broken Link Checker <= 1.10.5 - CSRF/XSS