CVE-2025-10053 is a stored Cross-Site Scripting (XSS) vulnerability identified in the TableGen – Data Table Generator plugin for WordPress, developed by exlac. This vulnerability affects all versions up to and including 1.3.1. The root cause is improper neutralization of input during web page generation, specifically insufficient input sanitization and output escaping in the plugin's admin settings. An attacker with administrator-level permissions or higher can exploit this flaw by injecting arbitrary malicious scripts into pages. These scripts execute whenever any user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or other malicious activities. Notably, this vulnerability only manifests in multi-site WordPress installations or installations where the unfiltered_html capability is disabled, limiting the scope somewhat. The CVSS 3.1 base score is 4.4 (medium severity), reflecting a network attack vector with high complexity, requiring high privileges but no user interaction. The vulnerability impacts confidentiality and integrity but not availability. There are no known exploits in the wild yet, and no patches have been linked at the time of publication. The vulnerability is classified under CWE-79, which corresponds to improper neutralization of input leading to XSS. Given the stored nature of the XSS, the injected scripts persist in the database and affect all users who view the infected pages, increasing the risk of widespread impact within affected installations.

For European organizations using WordPress multi-site installations with the TableGen plugin, this vulnerability poses a risk of unauthorized script execution within their administrative or user environments. The exploitation could lead to theft of authentication tokens, unauthorized actions performed on behalf of users, or defacement of web content. Since the attacker must have administrator-level access, the vulnerability primarily escalates the impact of insider threats or compromised admin accounts. The persistence of malicious scripts can facilitate prolonged attacks, including data exfiltration or lateral movement within the network. Although the vulnerability does not affect availability, the compromise of confidentiality and integrity can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and incur remediation costs. The limitation to multi-site and unfiltered_html-disabled installations narrows the affected population but does not eliminate risk for large organizations or managed service providers hosting multiple WordPress sites. Given WordPress's widespread use in Europe, especially among SMEs and public sector entities, the threat is relevant and warrants attention.

Organizations should first verify if they operate multi-site WordPress installations using the TableGen – Data Table Generator plugin version 1.3.1 or earlier. Immediate mitigation involves restricting administrator access to trusted personnel only and auditing existing admin accounts for compromise. Since no official patch is currently linked, administrators should consider temporarily disabling or removing the plugin until a secure update is released. As a workaround, enabling the unfiltered_html capability for trusted users or adjusting user roles to limit script injection risks may reduce exposure. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious script payloads in admin settings can provide additional defense. Regularly monitoring logs for unusual admin activity and scanning for injected scripts in pages is recommended. Once a patch becomes available, prompt application is critical. Additionally, educating administrators about the risks of stored XSS and enforcing strong authentication and session management practices will help mitigate exploitation potential.