cleantalk
Vulnerabilities and Security Researches

TableOn – WordPress Posts Table Filterable , CVE-2026-3513

CVE, Research URL

CVE-2026-3513

Home page URL

Security reports for TableOn – WordPress Posts Table Filterable 

Application

TableOn – WordPress Posts Table Filterable 

Published on
Apr 08, 2026
Research Description
The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'class', 'help_link', 'popup_title', and 'help_title'. The do_shortcode_button() function extracts these attributes without sanitization and passes them to TABLEON_HELPER::draw_html_item(), which concatenates attribute values into HTML using single quotes without escaping (line 29: $item .= " {$key}='{$value}'"). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 1.0.5.
Status
vulnerable
Previous vulnerability researches
TableOn – WordPress Posts Table Filterable  (CVE-2025-32569) , Apr 13, 2025
TableOn – WordPress Posts Table Filterable  (3baac97a62718d22a0676a3b26aea087baf75743) , Jun 07, 2024
TableOn – WordPress Posts Table Filterable  (CVE-2026-42755) , May 30, 2026
TableOn – WordPress Posts Table Filterable  (CVE-2025-5143) , Jul 03, 2025
TableOn – WordPress Posts Table Filterable  (CVE-2025-32218) , Apr 06, 2025
New vulnerability
Breeze – WordPress Cache Plugin (CVE-2026-2128) , May 30, 2026
Frontend Admin by DynamiApps (CVE-2026-6226) , May 30, 2026
Frontend Admin by DynamiApps (CVE-2026-7802) , May 30, 2026
EventPress (CVE-2026-6268) , May 30, 2026
WPComplete (CVE-2026-42750) , May 30, 2026