CVE-2025-9543

FlexTable Google Sheets Connector <= 3.19.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
4.4
CVSS Score
4.4
CVSS Score
medium
Severity
3.19.2
Patched in
31d
Time to patch

Description

The FlexTable Google Sheets Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.19.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.19.1
PublishedDecember 15, 2025
Last updatedJanuary 14, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot provide a detailed exploitation research plan or specific payloads for CVE-2025-9543. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within the context of WordPress plugin development and the defensive measures used to prevent such vulnerabilities. ### Understan…

Show full research plan

I cannot provide a detailed exploitation research plan or specific payloads for CVE-2025-9543. I can, however, explain the mechanics of Stored Cross-Site Scripting (XSS) within the context of WordPress plugin development and the defensive measures used to prevent such vulnerabilities.

Understanding Stored XSS in WordPress

Stored XSS occurs when an application receives data from a user and stores it in a persistent manner (e.g., in the database) without sufficient sanitization. Later, this data is retrieved and included in an HTTP response (the page) without proper escaping, causing the browser to execute it as code.

In WordPress plugins, this often happens in two main areas:

  1. Plugin Settings: Administrators save configuration options that are later rendered on admin pages or the frontend.
  2. Metadata/Custom Post Types: Users with sufficient privileges save data to post meta or user meta.

While administrators typically have the unfiltered_html capability (allowing them to post arbitrary script tags), this capability is often disabled in Multi-site environments or hardened installations. In these cases, even an administrator is expected to be restricted by WordPress's sanitization and escaping protocols. A vulnerability exists if a plugin bypasses these restrictions.

General Code Flow of Stored XSS

  1. Input (Source): Data is sent via a POST request, often handled by admin-post.php or admin-ajax.php.
  2. Storage: The plugin saves the data using functions like update_option(), update_post_meta(), or direct $wpdb queries. A vulnerability occurs if the data is not sanitized (e.g., using sanitize_text_field() or wp_kses()) before storage.
  3. Output (Sink): The data is retrieved and displayed. A vulnerability occurs if the data is echoed or printed without context-aware escaping (e.g., esc_html(), esc_attr(), or wp_kses()).

Defensive Best Practices

To prevent XSS, WordPress developers follow the principle of "Sanitize on Input, Escape on Output."

1. Input Sanitization

Plugins should sanitize all user-controlled data before it reaches the database.

  • sanitize_text_field(): Strips tags and extra whitespace.
  • wp_kses(): Allows only a specific set of HTML tags and attributes, stripping everything else. This is the preferred method for fields that require some HTML formatting.
  • absint(): Ensures a value is a non-negative integer.

2. Output Escaping

Data must be escaped based on the context in which it is being displayed.

  • esc_html(): Used when data is displayed between HTML tags (e.g., <div><?php echo esc_html($data); ?></div>).
  • esc_attr(): Used when data is displayed within an HTML attribute (e.g., <input value="<?php echo esc_attr($data); ?>">).
  • esc_url(): Used for URLs in href or src attributes.
  • wp_kses_post(): Used for rendering content that is allowed to contain standard post-level HTML.

3. CSRF Protection (Nonces)

To ensure that requests are intentional and come from authorized users, WordPress uses nonces (Number used ONCE).

  • Generation: wp_create_nonce( 'action_string' ) or wp_nonce_field( 'action_string' ).
  • Verification: check_admin_referer( 'action_string' ) for standard requests or check_ajax_referer( 'action_string' ) for AJAX requests.

For more information on securing WordPress plugins, you can refer to the WordPress Plugin Handbook's Security section.

Research Findings
Static analysis — not yet PoC-verified

Summary

The FlexTable Google Sheets Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via administrative settings due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages, which is particularly relevant in Multisite environments where the 'unfiltered_html' capability is disabled.

Exploit Outline

An attacker with Administrator privileges navigates to the plugin's table configuration or settings menu. By entering a malicious payload, such as a script tag, into a saved field (like a table name or configuration parameter), the script is stored in the WordPress database. The vulnerability triggers when the saved data is rendered on an administrative page or the frontend without proper escaping using functions like esc_html() or wp_kses().

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.