CVE-2025-10053: 
WordPress vulnerability analysis and mitigation

The TableGen – Data Table Generator plugin for WordPress contains a Stored Cross-Site Scripting vulnerability in versions up to and including 1.3.1. The vulnerability was discovered and reported by Wordfence, with the initial disclosure date of October 3, 2025 (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the admin settings of the plugin. This security flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The vulnerability has received a CVSS v3.1 base score of 4.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page. The impact is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

As of October 1, 2025, the plugin has been temporarily closed and is not available for download pending a full review (WordPress). Users are advised to disable and remove the plugin until a patched version becomes available.