The WP Table Builder – Drag & Drop Table Builder plugin for WordPress suffers from an authorization bypass vulnerability identified as CVE-2025-13753. The root cause is an incorrect authorization check in the save_table() function, which is responsible for saving table data within the plugin. This flaw allows any authenticated user with at least Subscriber-level privileges to create new wptb-table posts, a capability normally restricted to higher privilege roles such as Editors or Administrators. The vulnerability affects all versions up to and including 2.0.19. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low attack complexity, and only low privileges, but does not impact confidentiality or availability. The vulnerability is classified under CWE-863 (Incorrect Authorization). Exploitation does not require user interaction beyond authentication, and no known exploits are currently in the wild. The lack of a patch link suggests that a fix may not yet be publicly available or is pending. This vulnerability could be leveraged to manipulate site content by unauthorized users, potentially leading to misinformation, defacement, or other integrity issues within affected WordPress sites.

The primary impact of CVE-2025-13753 is unauthorized modification of website content through the creation of new table posts by low-privileged authenticated users. While confidentiality and availability remain unaffected, integrity is compromised, which can damage organizational reputation, mislead site visitors, or facilitate further attacks such as phishing or social engineering. For organizations relying on WordPress sites with this plugin installed, especially those with many users having Subscriber-level access, the risk of content tampering increases. This can affect e-commerce, news, educational, and corporate websites where content trustworthiness is critical. Although exploitation requires authentication, many WordPress sites allow user registrations or have multiple contributors, increasing the attack surface. The absence of known exploits reduces immediate risk, but the vulnerability remains a significant concern until patched.

Organizations should immediately audit their WordPress installations to identify the presence of the WP Table Builder plugin and its version. Until a patch is released, administrators should restrict user roles to the minimum necessary privileges, especially limiting Subscriber-level users from accessing table-building features. Implementing additional access control plugins or custom code to enforce stricter authorization on the save_table() function can mitigate exploitation. Monitoring website content for unauthorized changes and enabling logging of plugin-related actions can help detect exploitation attempts. Regularly updating the plugin once a patch is available is critical. Additionally, consider disabling or removing the plugin if it is not essential to reduce the attack surface. Employing web application firewalls (WAFs) with custom rules to detect anomalous requests targeting the save_table() endpoint may provide temporary protection.