CVE-2025-9126 is a stored cross-site scripting (XSS) vulnerability identified in the Smart Table Builder plugin for WordPress, developed by designful. This vulnerability affects all versions up to and including 1.0.1. The root cause is insufficient sanitization and output escaping of the ‘id’ parameter during web page generation, which allows an authenticated attacker with Contributor-level or higher privileges to inject arbitrary JavaScript code into pages. Because the malicious script is stored persistently, it executes every time a user accesses the infected page, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the victim. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change. The impact affects confidentiality and integrity but not availability. Although no known exploits are currently reported in the wild, the vulnerability presents a significant risk to WordPress sites using this plugin, especially those with multiple contributors. No official patches or updates have been released at the time of this report, increasing the urgency for mitigation steps.

The impact of CVE-2025-9126 is primarily on the confidentiality and integrity of affected WordPress sites. Successful exploitation allows an attacker with Contributor-level access to inject persistent malicious scripts that execute in the context of any user viewing the infected page. This can lead to session hijacking, theft of authentication tokens, unauthorized actions performed with the victim’s privileges, and potential privilege escalation if combined with other vulnerabilities. Although availability is not directly affected, the compromise of user accounts and site integrity can result in reputational damage, loss of user trust, and potential data breaches. Organizations relying on the Smart Table Builder plugin for content management or data presentation are at risk, especially those with multiple contributors or editors. The vulnerability could be leveraged in targeted attacks against high-value WordPress sites, including corporate blogs, e-commerce platforms, and news outlets. The absence of known exploits in the wild currently limits immediate widespread impact, but the medium severity score and ease of exploitation by authenticated users warrant prompt attention.

To mitigate CVE-2025-9126, organizations should implement the following specific measures: 1) Restrict Contributor-level access to trusted users only, minimizing the risk of malicious script injection. 2) Conduct thorough content reviews and audits of pages created or edited by Contributors to detect any suspicious or unexpected script content. 3) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the ‘id’ parameter in the Smart Table Builder plugin. 4) Monitor logs and user activity for anomalous behavior indicative of exploitation attempts. 5) Disable or remove the Smart Table Builder plugin if it is not essential to reduce the attack surface. 6) Stay alert for official patches or updates from the vendor and apply them immediately upon release. 7) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected sites. 8) Educate site administrators and contributors about the risks of XSS and safe content management practices. These targeted actions go beyond generic advice and address the specific attack vector and context of this vulnerability.