CVE-2025-5096
WordPress vulnerability analysis and mitigation

Overview

The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting (CVE-2025-5096) via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in versions up to and including 3.1.2. The vulnerability was discovered by Asaf Mozes from the Wordfence team and was publicly disclosed on May 22, 2025 (TablePress Release, NVD).

Technical details

The vulnerability stems from insufficient input sanitization and output escaping of certain data attributes in the TablePress plugin. The CVSS v3.1 base score is 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability affects the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes, making it possible for authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts (Wiz).

Impact

This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to data theft, session hijacking, or other client-side attacks (NVD).

Mitigation and workarounds

Users should immediately update to TablePress version 3.1.3 or later, which includes a fix for this vulnerability. The update is available through the WordPress Plugin Directory and will appear as an update notification in the WordPress Dashboard (TablePress Release).

Additional resources


SourceThis report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management