CVE-2017-20108: 
WordPress vulnerability analysis and mitigation

The Easy Table WordPress plugin version 1.6 and earlier contains a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2017-20108. The vulnerability was discovered by Manuel Garcia Cardenas and publicly disclosed on February 14, 2017. This security issue affects the plugin's settings page in the WordPress admin panel, specifically within the /wordpress/wp-admin/options-general.php file (WPScan, Full Disclosure).

The vulnerability stems from insufficient sanitization and escaping of plugin settings parameters. When the unfiltered_html capability is disallowed (common in multisite setups), high-privilege users such as administrators can inject malicious scripts into various plugin settings fields. The vulnerability has been assigned a CVSS score of 3.4 (low severity) and is classified under CWE-79 (Cross-Site Scripting) (WPScan).

If exploited, this vulnerability allows attackers to execute arbitrary HTML or script code in targeted users' browsers. This can lead to the theft of sensitive information, including user credentials and personal data (Full Disclosure).

The vulnerability was fixed in version 1.7 of the Easy Table plugin. Prior to the patch, the recommended mitigation was to disable the plugin until a fix became available (WPScan, Full Disclosure).