CVE-2025-8604 identifies a stored Cross-Site Scripting (XSS) vulnerability in the WP Table Builder plugin for WordPress, specifically in all versions up to and including 2.0.12. The vulnerability arises from insufficient sanitization and escaping of user-supplied attributes within the plugin's wptb shortcode. Authenticated attackers with contributor-level permissions or higher can inject arbitrary JavaScript code into pages via this shortcode. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing actions on behalf of the victim. The vulnerability does not require user interaction beyond page access, but does require the attacker to have authenticated access with contributor or higher privileges. The CVSS 3.1 score of 6.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the attacker’s privileges. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common cause of XSS issues.

This vulnerability allows authenticated attackers with contributor-level access to inject persistent malicious scripts into WordPress pages, which execute in the context of any user viewing those pages. The impact includes potential theft of authentication cookies, session hijacking, unauthorized actions performed on behalf of users, defacement, and distribution of malware. Since contributors can inject scripts that affect administrators or other users, the integrity and confidentiality of the site and its users are at risk. Although availability is not directly impacted, the trustworthiness of the site can be severely damaged, leading to reputational harm and potential loss of user base. Organizations relying on WP Table Builder for content presentation face risks of targeted attacks, especially if contributor accounts are compromised or misused. The medium severity score reflects the need for timely remediation but acknowledges the requirement for authenticated access limits the attack surface somewhat.

Organizations should immediately audit their WordPress installations to identify if WP Table Builder versions up to 2.0.12 are in use. Until an official patch is released, administrators should restrict contributor-level permissions carefully, ensuring only trusted users have such access. Implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious shortcode payloads can help mitigate exploitation. Regularly monitoring plugin updates and applying patches as soon as they become available is critical. Additionally, site owners should review existing content for injected scripts and remove any suspicious code. Employing Content Security Policy (CSP) headers can reduce the impact of injected scripts by restricting script execution sources. Educating contributors about safe content practices and monitoring contributor activity logs for anomalies can further reduce risk. Finally, consider temporarily disabling or replacing the plugin if the risk is deemed unacceptable until a secure version is released.