{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3513", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-04T14:58:56.897Z", "datePublished": "2026-04-08T03:36:08.564Z", "dateUpdated": "2026-04-08T16:45:27.588Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:45:27.588Z"}, "affected": [{"vendor": "realmag777", "product": "TableOn \u2013 WordPress Posts Table Filterable", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.4.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The TableOn \u2013 WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'class', 'help_link', 'popup_title', and 'help_title'. The do_shortcode_button() function extracts these attributes without sanitization and passes them to TABLEON_HELPER::draw_html_item(), which concatenates attribute values into HTML using single quotes without escaping (line 29: $item .= \" {$key}='{$value}'\"). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "TableOn \u2013 WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33490873-da99-465e-bfb6-44d2ba84f3ee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/posts-table-filterable/trunk/lib/helper.php#L29"}, {"url": "https://plugins.trac.wordpress.org/browser/posts-table-filterable/trunk/index.php#L489"}, {"url": "https://plugins.trac.wordpress.org/browser/posts-table-filterable/trunk/index.php#L495"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3492852%40posts-table-filterable&new=3492852%40posts-table-filterable&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3476421%40posts-table-filterable&new=3476421%40posts-table-filterable&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-03-04T15:14:10.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T15:35:29.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:56:45.786360Z", "id": "CVE-2026-3513", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:56:52.277Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3513", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:56:45.786360Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:56:48.949Z"}}], "cna": {"title": "TableOn \u2013 WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "realmag777", "product": "TableOn \u2013 WordPress Posts Table Filterable", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.4.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-04T15:14:10.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T15:35:29.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33490873-da99-465e-bfb6-44d2ba84f3ee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/posts-table-filterable/trunk/lib/helper.php#L29"}, {"url": "https://plugins.trac.wordpress.org/browser/posts-table-filterable/trunk/index.php#L489"}, {"url": "https://plugins.trac.wordpress.org/browser/posts-table-filterable/trunk/index.php#L495"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3492852%40posts-table-filterable&new=3492852%40posts-table-filterable&sfp_email=&sfph_mail="}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3476421%40posts-table-filterable&new=3476421%40posts-table-filterable&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The TableOn \u2013 WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'class', 'help_link', 'popup_title', and 'help_title'. The do_shortcode_button() function extracts these attributes without sanitization and passes them to TABLEON_HELPER::draw_html_item(), which concatenates attribute values into HTML using single quotes without escaping (line 29: $item .= \" {$key}='{$value}'\"). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T03:36:08.564Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3513", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:56:52.277Z", "dateReserved": "2026-03-04T14:58:56.897Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T03:36:08.564Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The TableOn \u2013 WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'class', 'help_link', 'popup_title', and 'help_title'. The do_shortcode_button() function extracts these attributes without sanitization and passes them to TABLEON_HELPER::draw_html_item(), which concatenates attribute values into HTML using single quotes without escaping (line 29: $item .= \" {$key}='{$value}'\"). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-3513", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T05:16:05.790", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/posts-table-filterable/trunk/index.php#L489"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/posts-table-filterable/trunk/index.php#L495"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/posts-table-filterable/trunk/lib/helper.php#L29"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3476421%40posts-table-filterable&new=3476421%40posts-table-filterable&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3492852%40posts-table-filterable&new=3492852%40posts-table-filterable&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/33490873-da99-465e-bfb6-44d2ba84f3ee?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T05:22:41.444983+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the TableOn plugin (1.0.5 or newer) that corrects the sanitization of shortcode attributes.", "If an update is not immediately possible, remove or disable the vulnerable shortcode from your posts and pages, or uninstall the plugin entirely until a fix is released.", "Restrict Contributor or higher roles to trusted users only, or consider additional role\u2011management controls to prevent unauthorized content injection.", "Conduct a scan of your site\u2019s content for injected scripts and cleanse any instances found.", "Keep an eye on the vendor\u2019s repository or WordPress plugin directory for a patch and test it in a staging environment before deploying it to production."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site\u00a0Scripting via the shortcode\u2019s class attribute allows an authenticated user to inject and execute arbitrary client\u2011side scripts on every page that loads the shortcode"}, "threat_synthesis": {"affected_systems": "The flaw affects the TableOn \u2013 WordPress Posts Table Filterable plugin for WordPress, versions up to and including 1.0.4.4. Any WordPress site running this plugin version and granting Contributor or higher roles to users is susceptible.", "description_and_impact": "This vulnerability stems from inadequate sanitization of the tableon_button shortcode attributes, notably class, help_link, popup_title and help_title. An attacker with Contributor or higher privileges can craft a malicious value for the class attribute, which the plugin concatenates into the HTML output without escaping. The result is stored XSS; when any user visits a page containing the injected shortcode, the malicious script runs in that user\u2019s browser, potentially leading to defacement, session hijacking, or the delivery of phishing payloads. This attack does not compromise the server directly but can compromise the confidentiality, integrity, and authenticity of all site users who access the affected pages.", "risk_and_exploitability": "The CVSS score of 6.4 reflects a moderate impact, and the EPSS score is not available, so the probability of exploitation in the wild is unclear. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, and the only identified vector is through authenticated users who can insert the shortened code. If such users are present on the site, the risk remains present until the plugin is upgraded or the usage of the affected shortcode is removed."}}}}, "created": "2026-04-08T19:44:04.141389+00:00", "updated": "2026-04-08T19:44:04.141505+00:00", "vendors": []}