The TableOn – WordPress Posts Table Filterable plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) in all versions up to 1.0.4.4. The issue stems from the do_shortcode_button() function extracting shortcode attributes such as 'class', 'help_link', 'popup_title', and 'help_title' without sanitization or escaping. These attributes are then concatenated into HTML using single quotes without proper escaping in TABLEON_HELPER::draw_html_item(), allowing authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript code. This malicious code executes in the context of any user viewing the compromised page, potentially leading to session hijacking or other client-side attacks. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and impacts on confidentiality and integrity but not availability.

An authenticated attacker with Contributor-level access or higher can inject persistent malicious scripts into pages via shortcode attributes. These scripts execute in the browsers of users who view the affected pages, potentially compromising user sessions or performing unauthorized actions within the context of the victim's browser. The vulnerability impacts confidentiality and integrity but does not affect availability. There are no known exploits in the wild at this time.

No official fix or patch is currently available for this vulnerability. Users should monitor the vendor's advisory channels for updates. Until a patch is released, restrict Contributor-level access to trusted users only and consider disabling or removing the TableOn plugin if possible. Avoid using the vulnerable shortcode attributes or sanitize inputs manually if feasible. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.