CVE-2025-8604 is a stored Cross-Site Scripting (XSS) vulnerability affecting the WP Table Builder plugin for WordPress, versions up to and including 2.0.12. This vulnerability arises from improper input sanitization and insufficient output escaping of user-supplied attributes in the plugin's wptb shortcode functionality. Specifically, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages generated by the plugin. Because the malicious script is stored persistently within the website content, it executes every time a user accesses the compromised page, potentially affecting any visitor or administrator who views the page. The vulnerability is classified under CWE-79, which relates to improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based (remote), requires low attack complexity, and privileges at the contributor level, but does not require user interaction. The impact affects confidentiality and integrity but not availability. No known public exploits have been reported yet. The vulnerability is significant because WordPress is a widely used CMS, and WP Table Builder is a popular plugin for creating tables, meaning many websites could be affected if they have not updated the plugin. The stored XSS can be leveraged to hijack user sessions, deface websites, or conduct further attacks such as phishing or malware distribution within the context of the vulnerable site.

For European organizations, this vulnerability poses a moderate risk primarily to websites using WordPress with the WP Table Builder plugin installed. The ability for contributors to inject persistent malicious scripts can lead to session hijacking of administrators or other users, theft of sensitive information, and unauthorized actions performed on behalf of users. This can damage organizational reputation, lead to data breaches, and potentially violate GDPR requirements concerning data protection and breach notification. E-commerce sites, government portals, and other public-facing platforms using this plugin are particularly at risk. The vulnerability does not directly affect availability but can undermine trust and integrity of web services. Additionally, since contributor-level access is required, insider threats or compromised contributor accounts increase the risk. The lack of known exploits in the wild currently reduces immediate risk, but the widespread use of WordPress in Europe means rapid exploitation could occur once proof-of-concept code becomes available.

1. Immediate update of the WP Table Builder plugin to a patched version once released by the vendor. Since no patch links are currently available, organizations should monitor vendor advisories closely. 2. Restrict contributor-level access strictly to trusted users and review user permissions regularly to minimize the risk of malicious input. 3. Implement Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the wptb shortcode parameters. 4. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on affected websites. 5. Conduct regular security audits and code reviews of custom shortcodes or plugins to identify similar input validation issues. 6. Educate content contributors about the risks of injecting untrusted content and enforce input validation on all user-generated content. 7. Monitor website logs and user activity for unusual behavior indicative of exploitation attempts. 8. Consider isolating or sandboxing user-generated content areas to limit impact of potential XSS attacks.