The TableOn – WordPress Posts Table Filterable plugin suffers from a stored XSS vulnerability (CWE-79) because it does not properly sanitize or escape user input in shortcode attributes. Specifically, the do_shortcode_button() function extracts attributes like 'class', 'help_link', 'popup_title', and 'help_title' without sanitization and passes them to TABLEON_HELPER::draw_html_item(), which concatenates these values into HTML attributes using single quotes without escaping. This flaw allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code that executes in the context of any user viewing the compromised page. The vulnerability affects all versions up to and including 1.0.4.4. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and impacts on confidentiality and integrity but not availability. No patch or official remediation has been published as of the data provided.

An attacker with Contributor-level or higher access can exploit this vulnerability to inject persistent malicious scripts into WordPress pages using the vulnerable plugin. These scripts execute in the browsers of users who view the infected pages, potentially leading to theft of sensitive information, session hijacking, or other client-side attacks. The impact affects confidentiality and integrity but does not affect availability. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level access to trusted users only and consider disabling or removing the vulnerable plugin to prevent exploitation. Monitor for plugin updates from the vendor realmag777 that address this vulnerability.