CVE-2025-6387 is a stored Cross-Site Scripting (XSS) vulnerability identified in the WP Get The Table plugin for WordPress, affecting all versions up to and including 1.5. The vulnerability stems from insufficient sanitization and escaping of the 'url' parameter during web page generation, classified under CWE-79. Authenticated attackers with Contributor-level privileges or higher can exploit this flaw by injecting arbitrary JavaScript code into pages managed by the plugin. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of users. The vulnerability does not require user interaction beyond visiting the affected page, and no higher privileges than Contributor are needed, which broadens the attack surface within WordPress environments. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and partial impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability's presence in a popular content management system plugin makes it a significant concern. The lack of official patches at the time of reporting necessitates immediate attention from site administrators to apply manual mitigations or monitor for updates.

The impact of CVE-2025-6387 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows attackers to execute arbitrary scripts in the context of the vulnerable site, which can lead to session hijacking, theft of sensitive user data, defacement, or distribution of malware. Since the vulnerability requires only Contributor-level access, attackers can leverage compromised or malicious user accounts to escalate their influence. This can undermine trust in the affected websites, cause reputational damage, and potentially lead to broader network compromise if administrative accounts are targeted subsequently. The stored nature of the XSS means that all visitors to the infected pages are at risk, increasing the potential scope of impact. Organizations relying on WP Get The Table for content presentation may face operational disruptions and increased risk of data breaches. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits rapidly after disclosure.

To mitigate CVE-2025-6387, organizations should first check for and apply any official patches or updates released by the plugin vendor. In the absence of patches, administrators should implement strict input validation and output encoding on the 'url' parameter to neutralize malicious scripts. Restrict Contributor-level user permissions to trusted individuals only and monitor user activity for suspicious behavior. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the plugin. Regularly audit and sanitize existing content to remove any injected scripts. Additionally, enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Educate site administrators and users about the risks of XSS and encourage prompt reporting of anomalies. Finally, consider disabling or replacing the vulnerable plugin if immediate remediation is not feasible.