CVE-2025-2685: 
WordPress vulnerability analysis and mitigation

The TablePress WordPress plugin (versions up to 3.0.4) contains a Stored Cross-Site Scripting vulnerability (CVE-2025-2685) discovered on March 27, 2025. The vulnerability exists in the 'table-name' parameter due to insufficient input sanitization and output escaping. This security issue affects authenticated users with Author-level access and above (NVD).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.4 (Medium). The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and affecting changed scope (S:C) with low confidentiality and integrity impact (C:L/I:L) and no availability impact (A:N). The vulnerability is tracked as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Author-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses the affected page, potentially leading to unauthorized actions, data theft, or session hijacking (NVD).

The vulnerability affects TablePress versions up to and including 3.0.4. Users should update to the latest version of the plugin when available. The fix involves proper input sanitization and output escaping of the 'table-name' parameter (NVD).