CVE-2025-9126: 
WordPress vulnerability analysis and mitigation

The Smart Table Builder plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-9126, discovered and disclosed on September 6, 2025. The vulnerability affects all versions up to and including 1.0.1 of the plugin. This security issue stems from insufficient input sanitization and output escaping of the 'id' parameter (NVD).

The vulnerability is classified as a Cross-Site Scripting (CWE-79) issue with a CVSS v3.1 Base Score of 6.4 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. The security flaw exists in the frontend rendering functionality where the 'id' parameter was not properly sanitized before being output to the page. The issue was addressed in version 1.0.2 by implementing proper sanitization using the absint() function for the table ID parameter (GitHub Commit).

The vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially leading to unauthorized access to user data and manipulation of website content (NVD).

Users should immediately update their Smart Table Builder plugin to version 1.0.2 or later, which includes the security fix. The update implements proper input sanitization using the absint() function for the table ID parameter (GitHub Commit).