CVE-2025-12324: 
WordPress vulnerability analysis and mitigation

The TablePress WordPress plugin versions up to 3.2.4 is affected by a Stored Cross-Site Scripting vulnerability (CVE-2025-12324). The vulnerability was discovered by researcher Rafshanzani Suhada and publicly disclosed on November 3, 2025. The issue affects authenticated users with Contributor level permissions or higher (Wordfence Intel).

The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The security flaw exists in the shortcode attributes processing functionality of the TablePress plugin, specifically in the frontend controller component (WordPress Source).

When successfully exploited, this vulnerability allows authenticated attackers with Contributor or higher privileges to store and execute malicious JavaScript code that will be executed in the context of other users' browsers when they view affected pages (Wordfence Intel).

Website administrators running affected versions of the TablePress plugin should update to a patched version as soon as it becomes available. In the meantime, it is recommended to review and potentially restrict Contributor and higher-level user access to minimize the risk of exploitation (Wordfence Intel).