Skip to main content

CVE-2025-49286: CWE-352 Cross-Site Request Forgery (CSRF) in WP Table Builder WP Table Builder

Medium
VulnerabilityCVE-2025-49286cvecve-2025-49286cwe-352
Published: Fri Jun 06 2025 (06/06/2025, 12:53:42 UTC)
Source: CVE Database V5
Vendor/Project: WP Table Builder
Product: WP Table Builder

Description

Cross-Site Request Forgery (CSRF) vulnerability in WP Table Builder WP Table Builder allows Cross Site Request Forgery. This issue affects WP Table Builder: from n/a through 2.0.6.

AI-Powered Analysis

AILast updated: 07/07/2025, 21:25:48 UTC

Technical Analysis

CVE-2025-49286 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the WordPress plugin WP Table Builder, affecting versions up to 2.0.6. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting unwanted actions on a web application in which they are currently authenticated. In this case, the vulnerability permits an attacker to craft malicious requests that, when executed by an authenticated administrator or user with sufficient privileges, could alter the plugin's data or settings without the user's consent. The CVSS 3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based (remote), requires no privileges, but does require user interaction (the victim must visit a malicious site or click a crafted link). The impact is limited to integrity, with no direct confidentiality or availability impact. There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability is categorized under CWE-352, which is a common web application security weakness related to CSRF. Since WP Table Builder is a WordPress plugin used to create tables within WordPress sites, this vulnerability primarily threatens the integrity of table data or plugin configurations, potentially leading to unauthorized modifications or defacements within affected websites.

Potential Impact

For European organizations using WordPress sites with the WP Table Builder plugin, this vulnerability poses a risk of unauthorized modification of website content or plugin settings, which could lead to misinformation, defacement, or disruption of normal site operations. While the confidentiality and availability impacts are minimal, integrity compromise can damage organizational reputation, especially for public-facing websites or e-commerce platforms. Attackers could leverage CSRF to alter pricing tables, product information, or other critical data presented via tables, potentially misleading customers or partners. Given the medium severity and the requirement for user interaction, the threat is moderate but should not be underestimated, particularly for organizations with high web presence or those handling sensitive customer interactions through their WordPress sites.

Mitigation Recommendations

1. Immediate mitigation involves updating the WP Table Builder plugin to a patched version once available from the vendor. Since no patch links are currently provided, organizations should monitor official WP Table Builder channels for updates. 2. Implement anti-CSRF tokens in all forms and state-changing requests within the plugin to ensure requests are legitimate and originate from authenticated users. 3. Employ Content Security Policy (CSP) headers to restrict the domains from which scripts can be loaded, reducing the risk of malicious script execution. 4. Educate users and administrators about the risks of clicking on suspicious links or visiting untrusted websites while logged into administrative interfaces. 5. Use Web Application Firewalls (WAFs) with rules to detect and block CSRF attack patterns targeting WordPress plugins. 6. Limit administrative access to the WordPress backend via IP whitelisting or VPN to reduce exposure. 7. Regularly audit and monitor logs for unusual POST requests or changes to plugin data that could indicate exploitation attempts.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-06-04T09:41:43.867Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 6842ede071f4d251b5c88102

Added to database: 6/6/2025, 1:32:16 PM

Last enriched: 7/7/2025, 9:25:48 PM

Last updated: 8/17/2025, 1:39:34 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats