WP-Safety

TableOn – WordPress Posts Table Filterable  Security & Risk Analysis

wordpress.org/plugins/posts-table-filterable

TABLEON - Posts Table Filterable: WordPress plugin for displaying and filter posts and their custom post types in table format.

300 active installs v1.0.5.1 PHP 7.4+ WP 4.9+ Updated Mar 27, 2026
filterposts-filterposts-tabletabletableon
89
A · Safe
CVEs total8
Unpatched0
Last CVEApr 7, 2026
Plugin page Download
Safety Verdict

Is TableOn – WordPress Posts Table Filterable  Safe to Use in 2026?

Generally Safe

Score 89/100

TableOn – WordPress Posts Table Filterable  has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

8 known CVEsLast CVE: Apr 7, 2026Updated 1mo ago
Risk Assessment

The "posts-table-filterable" plugin version 1.0.4.4 presents a significant security risk due to a large attack surface with a high proportion of unprotected entry points, specifically 30 out of 39. The lack of authorization checks on numerous AJAX handlers is a major concern, as it could allow unauthenticated users to trigger potentially sensitive actions. While the plugin demonstrates some good practices like a high percentage of properly escaped output and a moderate use of prepared statements for SQL queries, these are overshadowed by the critical vulnerabilities.

The vulnerability history is alarming, with a total of 7 known CVEs, including one critical and six medium severity issues. The fact that two vulnerabilities remain unpatched, with the last one reported as recently as 2026-01-20, indicates a pattern of persistent security flaws and potentially slow or inadequate patching by the developers. The common vulnerability types listed (XSS, Code Injection, Deserialization, Missing Authorization) are all serious and can lead to complete site compromise. The taint analysis, while limited in scope, did reveal flows with unsanitized paths, hinting at potential injection vulnerabilities that might not have been fully captured by the analysis or are yet to be discovered.

In conclusion, despite some positive code signals regarding output escaping, the plugin's overall security posture is weak. The combination of a large, unprotected attack surface and a history of serious, unpatched vulnerabilities makes this plugin a high-risk component. Users should exercise extreme caution and consider deactivating or replacing it until all known vulnerabilities are addressed and the plugin's security practices are demonstrably improved.

Key Concerns

  • Unpatched critical CVE
  • Unpatched medium CVE (x6)
  • Large attack surface without auth (30/39)
  • AJAX handlers without auth checks (30)
  • Missing capability checks
  • Flows with unsanitized paths
  • SQL queries without prepared statements (58%)
  • Low percentage of prepared statements (42%)
  • File operations detected
  • Nonce checks present but limited (2)
Vulnerabilities
8 published

TableOn – WordPress Posts Table Filterable  Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
5 CVEs in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
7

8 total CVEs

CVE-2026-3513medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

TableOn – WordPress Posts Table Filterable <= 1.0.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class' Shortcode Attribute

Apr 7, 2026 Patched in 1.0.5 (1d)
CVE-2025-69316medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

TableOn <= 1.0.4.2 - Reflected Cross-Site Scripting

Jan 20, 2026 Patched in 1.0.4.3 (8d)
CVE-2025-5143medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

TableOn – WordPress Posts Table Filterable <= 1.0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via tableon_popup_iframe_button Shortcode

Jun 20, 2025 Patched in 1.0.4.2 (1d)
CVE-2025-60244medium · 6.5Improper Control of Generation of Code ('Code Injection')

TableOn <= 1.0.5.1 - Unauthenticated Arbitrary Shortcode Execution

May 22, 2025 Patched in 1.0.6 (348d)
CVE-2025-32592medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

TableOn – WordPress Posts Table Filterable <= 1.0.3 - Unauthenticated Stored Cross-Site Scripting

Apr 14, 2025 Patched in 1.0.4 (8d)
CVE-2025-32569critical · 9.8Deserialization of Untrusted Data

TableOn – WordPress Posts Table Filterable <= 1.0.4.3 - Unauthenticated PHP Object Injection

Apr 10, 2025 Patched in 1.0.4.4 (293d)
CVE-2025-32218medium · 4.3Missing Authorization

TableOn – WordPress Posts Table Filterable <= 1.0.5.1 - Missing Authorization

Apr 4, 2025 Patched in 1.0.6 (397d)
WF-d60f69f1-eaea-49cb-bbe3-281ec4f872f1-posts-table-filterablemedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

TableOn – WordPress Posts Table Filterable <= 1.0.0 - Reflected Cross-Site Scripting

Oct 18, 2021 Patched in 1.0.1 (827d)
Version History

TableOn – WordPress Posts Table Filterable  Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

TableOn – WordPress Posts Table Filterable  Code Analysis

Dangerous Functions
0
Raw SQL Queries
15
11 prepared
Unescaped Output
43
203 escaped
Nonce Checks
2
Capability Checks
0
File Operations
2
External Requests
0
Bundled Libraries
0

SQL Query Safety

42% prepared26 total queries

Output Escaping

83% escaped246 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths
get_columns_data (classes\columns.php:331)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
30 unprotected

TableOn – WordPress Posts Table Filterable  Attack Surface

Entry Points39
Unprotected30

AJAX Handlers 32

authwp_ajax_tableon_save_table_column_field_optionclasses\columns-fields-options.php:46
authwp_ajax_tableon_get_columns_dataclasses\columns.php:56
authwp_ajax_tableon_save_table_column_fieldclasses\columns.php:57
authwp_ajax_tableon_create_table_columnclasses\columns.php:58
authwp_ajax_tableon_refresh_columns_tableclasses\columns.php:59
authwp_ajax_tableon_delete_table_columnclasses\columns.php:60
authwp_ajax_tableon_save_filter_field_optionclasses\filter-fields-options.php:56
authwp_ajax_tableon_get_predefinition_tableclasses\predefinition.php:46
authwp_ajax_tableon_save_table_predefinition_fieldclasses\predefinition.php:47
authwp_ajax_tableon_save_settings_fieldclasses\settings.php:47
authwp_ajax_tableon_save_table_custom_cssclasses\settings.php:50
authwp_ajax_tableon_get_table_custom_cssclasses\settings.php:55
authwp_ajax_tableon_get_fields_for_filterclasses\tables-filter.php:30
authwp_ajax_tableon_save_fields_for_filterclasses\tables-filter.php:31
authwp_ajax_tableon_get_tables_metaclasses\tables-meta.php:82
authwp_ajax_tableon_save_table_meta_fieldclasses\tables-meta.php:83
authwp_ajax_tableon_create_metaclasses\tables-meta.php:84
authwp_ajax_tableon_delete_table_metaclasses\tables-meta.php:85
authwp_ajax_tableon_get_tables_optionsclasses\tables-options.php:40
authwp_ajax_tableon_save_table_optionclasses\tables-options.php:41
authwp_ajax_tableon_create_tableclasses\tables.php:45
authwp_ajax_tableon_save_table_fieldclasses\tables.php:46
authwp_ajax_tableon_delete_tableclasses\tables.php:47
authwp_ajax_tableon_clone_tableclasses\tables.php:48
authwp_ajax_tableon_save_vocabulary_fieldclasses\vocabulary.php:63
authwp_ajax_tableon_create_vocabulary_fieldclasses\vocabulary.php:64
authwp_ajax_tableon_delete_vocabulary_fieldclasses\vocabulary.php:65
authwp_ajax_tableon_get_table_dataindex.php:76
noprivwp_ajax_tableon_get_table_dataindex.php:77
authwp_ajax_tableon_get_smthindex.php:79
noprivwp_ajax_tableon_get_smthindex.php:80
authwp_ajax_tableon_import_dataindex.php:82

Shortcodes 7

[tableon] index.php:74
[tableon_button] index.php:75
[tableon_popup_iframe_button] index.php:1592
[tableon_gallery] index.php:1640
[tableon_single_btn] index.php:1696
[tableon_drop_down] profiles\default\default.php:41
[tableon_single] profiles\default\single.php:97
WordPress Hooks 57
actionadmin_initclasses\columns-fields-options.php:20
filtertableon_show_column_field_optionclasses\columns-fields-options.php:23
actionadmin_enqueue_scriptsclasses\columns-fields-options.php:45
actionadmin_enqueue_scriptsclasses\columns.php:29
actionadmin_initclasses\columns.php:30
actiontableon_columns_tableclasses\columns.php:72
actionadmin_initclasses\filter-fields-options.php:20
filtertableon_get_filter_field_optionsclasses\filter-fields-options.php:22
actionadmin_enqueue_scriptsclasses\filter-fields-options.php:55
actionadmin_enqueue_scriptsclasses\predefinition.php:19
actionadmin_initclasses\predefinition.php:20
actionadmin_enqueue_scriptsclasses\settings.php:20
actionadmin_initclasses\settings.php:21
actionadmin_bar_menuclasses\settings.php:64
actionadmin_initclasses\tables-filter.php:17
actionadmin_enqueue_scriptsclasses\tables-filter.php:18
actionadmin_enqueue_scriptsclasses\tables-meta.php:23
actionadmin_initclasses\tables-meta.php:24
filtertableon_table_orderby_select_argsclasses\tables-meta.php:28
actiontableon_meta_tableclasses\tables-meta.php:271
actionadmin_enqueue_scriptsclasses\tables-options.php:13
actionadmin_initclasses\tables-options.php:14
actiontableon_options_columns_tableclasses\tables-options.php:75
actionadmin_initclasses\tables.php:30
actiontableon_admin_tableclasses\tables.php:60
filtertableon_current_langclasses\vocabulary.php:27
actionadmin_enqueue_scriptsclasses\vocabulary.php:37
actionadmin_initclasses\vocabulary.php:38
actionadmin_initindex.php:97
actionadmin_enqueue_scriptsindex.php:108
actionadmin_menuindex.php:127
actionwp_print_footer_scriptsindex.php:159
filtertheme_page_templatesindex.php:1407
filtertemplate_includeindex.php:1413
actioninitindex.php:1564
actionplugins_loadedindex.php:1565
actionwp_loadedindex.php:1574
filtertableon_profile_extendprofiles\default\compatibility.php:13
actiontableon_filter_provider_mdtfprofiles\default\compatibility.php:57
actionadmin_initprofiles\default\default.php:32
actioninitprofiles\default\default.php:33
actiontableon_filter_provider_defaultprofiles\default\default.php:35
filtertableon_extend_optionsprofiles\default\default.php:56
filtertableon_table_classesprofiles\default\default.php:57
filtertableon_wp_query_argsprofiles\default\default.php:85
filtertableon_wp_query_argsprofiles\default\default.php:96
filterposts_whereprofiles\default\default.php:511
filterposts_whereprofiles\default\default.php:548
filterposts_whereprofiles\default\default.php:575
filterposts_whereprofiles\default\default.php:692
filterposts_whereprofiles\default\default.php:725
filterposts_whereprofiles\default\default.php:758
actiontableon_extend_settingsprofiles\default\single.php:23
actiontableon_extend_settings_defaultprofiles\default\single.php:56
filtertableon_get_table_single_postprofiles\default\single.php:79
actiontableon_extend_settingsprofiles\default\universal.php:72
actiontableon_extend_settings_defaultprofiles\default\universal.php:103
Maintenance & Trust

TableOn – WordPress Posts Table Filterable  Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 27, 2026
PHP min version7.4
Downloads9K

Community Trust

Rating92/100
Number of ratings14
Active installs300
Alternatives

TableOn – WordPress Posts Table Filterable  Alternatives

WP Posts Table

WP Posts Table

wp-posts-table

A
85

Display your posts in a table format that is searchable and sortable.

20 No CVEs
Active Products Tables for WooCommerce. Use constructor to create tables 

Active Products Tables for WooCommerce. Use constructor to create tables 

profit-products-tables-for-woocommerce

B
83

WooCommerce Active Products Tables - is the WooCommerce Products Table plugin displaying shop products in table format

1K 13 CVEs
Responsive Menu Card | Price List Items

Responsive Menu Card | Price List Items

responsive-menu-card-price-list-items

A
85

Create a customized and responsive menu card with price list items to your site.

200 No CVEs
Admin Posts Grid

Admin Posts Grid

admin-posts-grid

A
85

Beautiful posts grid on the admin side, many themes available, adjusable layout and more!

50 No CVEs
Category Posts Filter

Category Posts Filter

category-posts-filter

A
92

A powerful WordPress plugin to filter and display posts with category and sorting options, supporting list and grid views.

10 No CVEs
Developer Profile

TableOn – WordPress Posts Table Filterable  Developer Profile

RealMag777

12 plugins · 188K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
196 days
View full developer profile
Detection Fingerprints

How We Detect TableOn – WordPress Posts Table Filterable 

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/posts-table-filterable/assets/css/admin/system.css/wp-content/plugins/posts-table-filterable/assets/js/helper.js/wp-content/plugins/posts-table-filterable/assets/css/selectm-23.css/wp-content/plugins/posts-table-filterable/assets/js/selectm-23.js/wp-content/plugins/posts-table-filterable/assets/css/growls.css/wp-content/plugins/posts-table-filterable/assets/css/popup-23.css/wp-content/plugins/posts-table-filterable/assets/css/switcher-23.css/wp-content/plugins/posts-table-filterable/assets/css/admin/options.css+3 more
Script Paths
/wp-content/plugins/posts-table-filterable/assets/js/helper.js/wp-content/plugins/posts-table-filterable/assets/js/selectm-23.js/wp-content/plugins/posts-table-filterable/assets/js/data-table-23/data-table-23.js/wp-content/plugins/posts-table-filterable/assets/js/tableon-generator.js
Version Parameters
posts-table-filterable/assets/css/admin/system.css?ver=posts-table-filterable/assets/js/helper.js?ver=posts-table-filterable/assets/css/selectm-23.css?ver=posts-table-filterable/assets/js/selectm-23.js?ver=posts-table-filterable/assets/css/growls.css?ver=posts-table-filterable/assets/css/popup-23.css?ver=posts-table-filterable/assets/css/switcher-23.css?ver=posts-table-filterable/assets/css/admin/options.css?ver=posts-table-filterable/assets/js/data-table-23/data-table-23.js?ver=posts-table-filterable/assets/js/data-table-23/data-table-23.css?ver=posts-table-filterable/assets/js/tableon-generator.js?ver=

HTML / DOM Fingerprints

CSS Classes
tableon-admin-table
Data Attributes
data-tableon-admin-table
JS Globals
TABLEON_HELPER
REST Endpoints
/wp-json/tableon/v1/get_table_data/wp-json/tableon/v1/get_smth/wp-json/tableon/v1/import_data
Shortcode Output
[tableon][tableon_button]
FAQ

Frequently Asked Questions about TableOn – WordPress Posts Table Filterable