CVE-2025-5096 identifies a DOM-based stored Cross-Site Scripting vulnerability in the TablePress plugin for WordPress, a widely used tool for creating and managing tables on websites. The vulnerability affects all versions up to and including 3.1.2 due to improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to sufficiently sanitize and escape user-supplied data in the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' HTML data attributes. Authenticated attackers with Contributor-level access or higher can inject arbitrary JavaScript code into these attributes. Because the malicious scripts are stored and rendered in pages viewed by other users, this leads to persistent XSS attacks. The vulnerability is exploitable remotely over the network without user interaction, with low attack complexity, and requires only limited privileges (Contributor or above). The scope is significant as it affects all installations of the plugin up to version 3.1.2. The impact includes potential theft of session tokens, defacement, unauthorized actions on behalf of users, or further compromise of the WordPress site. No patches or official fixes are currently linked, and no known exploits are reported in the wild. The vulnerability was published on May 23, 2025, and assigned a CVSS v3.1 score of 6.4, indicating medium severity with confidentiality and integrity impacts but no availability impact. The vulnerability is classified under CWE-79, highlighting improper input validation and output encoding as root causes.

The exploitation of this vulnerability can lead to unauthorized script execution in the context of the affected WordPress site, compromising the confidentiality and integrity of user data. Attackers can hijack user sessions, steal cookies, perform actions on behalf of other users, or inject malicious content that could lead to further attacks such as phishing or malware distribution. Since the vulnerability requires only Contributor-level access, attackers who gain such access—potentially through compromised credentials or social engineering—can leverage this flaw to escalate their impact. The persistent nature of the stored XSS means that all visitors to the infected pages are at risk, increasing the attack surface. For organizations, this can result in reputational damage, data breaches, and potential regulatory consequences if user data is exposed. The absence of availability impact limits direct service disruption, but the indirect effects on trust and security posture are significant. Given the widespread use of WordPress and TablePress, many websites globally are at risk, especially those with multiple contributors or less stringent access controls.

1. Immediately restrict Contributor-level user privileges to trusted individuals only and review existing user roles to minimize risk exposure. 2. Apply strict input validation and output encoding on all user-supplied data, especially for the affected data attributes ('data-caption', 'data-s-content-padding', 'data-s-title', 'data-footer') within TablePress, either by updating the plugin if a patch is released or by implementing custom sanitization filters. 3. Monitor WordPress logs and database entries for suspicious or unexpected script injections in table data fields. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block malicious payloads targeting these attributes. 5. Educate contributors and site administrators about the risks of XSS and the importance of secure content management practices. 6. Regularly audit and update all WordPress plugins and themes to their latest versions to benefit from security patches. 7. Consider temporarily disabling TablePress or limiting its use until a secure version is available. 8. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS exploitation by restricting script sources.