Vulnerabilities and security researches fortablepress tablepress

Feb 17, 2025

PSC, Research URL: PSC-2025-64556
Home page URL: Security reports for TablePress – Tables in WordPress made easy
Application: TablePress – Tables in WordPress made easy
Date: -
Research Description: TablePress is a powerful and user-friendly WordPress plugin designed to help users create and manage tables effortlessly. Whether you need to display data, create interactive tables, or import/export information, TablePress offers a comprehensive set of features without requiring any coding knowledge. Beyond its functional advantages, TablePress prioritizes security, ensuring that data handling remains safe and reliable. After undergoing a rigorous security audit, TablePress has earned the prestigious Plugin Security Certification (PSC) from CleanTalk, confirming its compliance with modern security standards.
Affected versions: Min -, max -.
Status: SAFE & CERTIFIED

Oct 12, 2024

CVE, Research URL: CVE-2024-9595
Home page URL: Security reports for TablePress – Tables in WordPress made easy
Application: TablePress – Tables in WordPress made easy
Date: Oct 12, 2024
Research Description: The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the table cell content in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Jun 08, 2024

CVE, Research URL: CVE-2024-4354
Home page URL: Security reports for TablePress – Tables in WordPress made easy
Application: TablePress – Tables in WordPress made easy
Date: Jun 07, 2024
Research Description: The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3 via the get_files_to_import() function. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Due to the complex nature of protecting against DNS rebind attacks in WordPress software, we settled on the developer simply restricting the usage of the URL import functionality to just administrators. While this is not optimal, we feel this poses a minimal risk to most site owners and ideally WordPress core would correct this issue in wp_safe_remote_get() and other functions.
Affected versions: Min -, max -.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2017-10889
Home page URL: Security reports for TablePress – Tables in WordPress made easy
Application: TablePress – Tables in WordPress made easy
Date: Nov 17, 2017
Research Description: TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2019-20180
Home page URL: Security reports for TablePress – Tables in WordPress made easy
Application: TablePress – Tables in WordPress made easy
Date: Jan 10, 2020
Research Description: The TablePress plugin 1.9.2 for WordPress allows tablepress[data] CSV injection by Editor users. Note: The vendor disputes this issue and argues that this responsibility lies with the application that opens the CSV file and not TablePress.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-23825
Home page URL: Security reports for TablePress – Tables in WordPress made easy
Application: TablePress – Tables in WordPress made easy
Date: Jan 30, 2024
Research Description: TablePress is a table plugin for Wordpress. For importing tables, TablePress makes external HTTP requests based on a URL that is provided by the user. That user input is filtered insufficiently, which makes it is possible to send requests to unintended network locations and receive responses. On sites in a cloud environment like AWS, an attacker can potentially make GET requests to the instance's metadata REST API. If the instance's configuration is insecure, this can lead to the exposure of internal data, including credentials. This vulnerability is fixed in 2.2.5.
Affected versions: Min -, max -.
Status: vulnerable