The vulnerability CVE-2025-13753 affects the WP Table Builder – Drag & Drop Table Builder plugin for WordPress, specifically versions up to and including 2.0.19. The root cause is an incorrect authorization check in the save_table() function, which is responsible for saving table data created via the plugin. This flaw allows any authenticated user with at least Subscriber-level privileges to bypass intended permission restrictions and create new wptb-table posts. Since Subscribers typically have limited capabilities, this escalation of privileges within the plugin context enables unauthorized content modification. The vulnerability does not expose confidential data or disrupt service availability but compromises data integrity by allowing unauthorized content creation or modification. The CVSS 3.1 score is 4.3 (medium), reflecting the low complexity of exploitation (low attack complexity), network attack vector, and the requirement for low privileges but no user interaction. No known exploits have been reported in the wild, and no official patches are currently available. The vulnerability is classified under CWE-863 (Incorrect Authorization), highlighting a failure to properly enforce access controls. This issue is critical for websites relying on this plugin for content management, as unauthorized table posts could be used to inject misleading or malicious content, potentially damaging site credibility or facilitating further attacks such as phishing or misinformation campaigns.

For European organizations, the primary impact of this vulnerability lies in the unauthorized modification of website content, which can undermine the integrity and trustworthiness of their web presence. Organizations using the WP Table Builder plugin on WordPress sites may face risks of content tampering by low-privilege authenticated users, such as subscribers or registered users. This could lead to misinformation, defacement, or embedding of malicious content within tables, potentially harming brand reputation and user trust. Although the vulnerability does not directly compromise confidentiality or availability, the integrity breach can be leveraged for social engineering or phishing attacks targeting site visitors. Public sector, media, educational institutions, and e-commerce platforms in Europe that rely on WordPress and this plugin are particularly at risk. The ease of exploitation and the widespread use of WordPress in Europe increase the likelihood of exploitation attempts, especially in countries with high WordPress market share. The absence of known exploits in the wild suggests limited current impact but also highlights the importance of proactive mitigation.

1. Immediately audit user roles and permissions on WordPress sites using the WP Table Builder plugin, ensuring that only trusted users have Subscriber-level or higher access. 2. Restrict plugin usage to administrators or editors where possible, minimizing the number of users who can interact with the table builder functionality. 3. Monitor and log creation of new wptb-table posts to detect unauthorized or suspicious activity promptly. 4. Implement web application firewalls (WAF) with custom rules to detect and block unauthorized attempts to invoke the save_table() function. 5. Regularly update WordPress core and plugins; apply security patches from the vendor as soon as they become available. 6. Consider temporarily disabling or removing the WP Table Builder plugin if it is not essential until a patch is released. 7. Educate site administrators and users about the risks of privilege escalation and enforce strong authentication mechanisms to reduce the risk of compromised accounts. 8. Conduct periodic security assessments focusing on plugin vulnerabilities and access control enforcement.