[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdysN3LfqwzWo2SFYfjkvoRtupzTmdPkDy6dRJoYqwfQ":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-69316","tableon-reflected-cross-site-scripting","TableOn \u003C= 1.0.4.2 - Reflected Cross-Site Scripting","The TableOn plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 1.0.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","posts-table-filterable",null,"\u003C=1.0.4.2","1.0.4.3","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-20 00:00:00","2026-01-27 19:33:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F46fd4e5d-e1d7-4de6-ae24-66e260a1b288?source=api-prod",8,[],"researched",false,3,"# Research Plan: Reflected XSS in TableOn (CVE-2025-69316)\n\n## 1. Vulnerability Summary\nThe **TableOn – WordPress Posts Table Filterable** plugin (\u003C= 1.0.4.2) is vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability exists because the plugin accepts user-supplied input through URL parameters (used for filtering or searching the table) and reflects this input back into the page source without sufficient sanitization or output escaping (e.g., failing to use `esc_attr()` or `esc_html()`). \n\nThis allows an unauthenticated attacker to execute arbitrary JavaScript in the context of a user's browser by tricking them into clicking a crafted link.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any frontend page containing the TableOn shortcode (`[tableon]`).\n*   **Vulnerable Parameter:** `tableon_txt_search` (inferred) or other filter\u002Fsorting parameters like `orderby`.\n*   **Authentication:** None required (Unauthenticated).\n*   **Preconditions:** A page or post must be published containing the plugin's shortcode to render the table interface where the reflection occurs.\n\n## 3. Code Flow (Inferred)\n1.  A user visits a page containing the `[tableon]` shortcode.\n2.  The plugin's shortcode handler (likely in a class handling the frontend display) parses the request.\n3.  The handler checks for filter parameters in the `$_GET` or `$_REQUEST` arrays to maintain the state of the search UI.\n4.  The parameter (e.g., `tableon_txt_search`) is assigned to a variable used in the HTML template for the search input field.\n5.  **Sink:** The value is echoed directly into the `value` attribute of an `\u003Cinput>` tag or within a `\u003Cscript>` block for AJAX initialization without being passed through `esc_attr()` or `wp_json_encode()`.\n    *   *Example Vulnerable Code:* `echo '\u003Cinput type=\"text\" name=\"tableon_txt_search\" value=\"' . $_GET['tableon_txt_search'] . '\">';`\n\n## 4. Nonce Acquisition Strategy\nReflected XSS via GET parameters typically does **not** require a nonce, as the reflection happens during the initial page load.\n\nHowever, if the reflection occurs within an AJAX response (e.g., triggered via the `tableon_get_table` action), a nonce might be required for the AJAX request itself.\n*   **Action String:** Likely `tableon_nonce` or `tableon_ajax_nonce` (inferred).\n*   **JS Variable:** Check for `window.tableon_vars` or `window.tableon_data` (inferred).\n*   **Acquisition Method:**\n    1.  Navigate to the page containing the `[tableon]` shortcode.\n    2.  Use `browser_eval` to extract the nonce: `browser_eval(\"window.tableon_vars?.nonce\")`.\n\n## 5. Exploitation Strategy\nThe goal is to breakout of an HTML attribute (likely `value`) and inject a script.\n\n### Step 1: Identify the Reflected Parameter\nTest common TableOn parameters for reflection:\n*   `?tableon_txt_search=REFLECT_HERE`\n*   `?orderby=REFLECT_HERE`\n\n### Step 2: Craft the Payload\nIf reflected in a `value` attribute:\n`\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>`\n\n### Step 3: Execute the Exploit\nUse the `http_request` tool to request the page with the payload.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002F{page-with-shortcode}\u002F?tableon_txt_search=\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>`\n*   **Method:** `GET`\n\n## 6. Test Data Setup\n1.  **Create a Sample Post:** Create at least one post so the table has data to display.\n    *   `wp post create --post_type=post --post_title='Evidence' --post_status=publish`\n2.  **Create Table Page:** Create a page with the TableOn shortcode.\n    *   `wp post create --post_type=page --post_title='Table Page' --post_status=publish --post_content='[tableon]'`\n\n## 7. Expected Results\n*   The HTTP response body should contain the unescaped payload string: `\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>`.\n*   Specifically, the search input field should look like: `\u003Cinput ... value=\"\">\u003Cscript>alert(window.origin)\u003C\u002Fscript>\">`.\n*   When viewed in a browser, an alert box with the site's origin should appear.\n\n## 8. Verification Steps\n1.  **Search Source Code:** After the request, verify the exact location of the reflection in the response.\n2.  **Verify via Browser:** Use `browser_navigate` to the URL and check if the alert was triggered.\n3.  **Check for Escaping:** Confirm that characters like `\"` and `\u003C` are NOT converted to `"` or `<`.\n\n## 9. Alternative Approaches\nIf `tableon_txt_search` is not the vulnerable parameter, try the following:\n1.  **Pagination Parameter:** `?tableon_page=1\u003Cscript>alert(1)\u003C\u002Fscript>`\n2.  **Sorting Parameter:** `?orderby=title\u003Cscript>alert(1)\u003C\u002Fscript>`\n3.  **Direct AJAX Reflection:** If the plugin uses an AJAX endpoint for filtering, perform an AJAX POST request to `wp-admin\u002Fadmin-ajax.php?action=tableon_get_table` with the malicious parameter in the body\u002FURL and check the JSON response for unescaped reflection.","The TableOn plugin for WordPress (\u003C= 1.0.4.2) is vulnerable to Reflected Cross-Site Scripting via user-supplied parameters like tableon_txt_search. This occurs because the plugin reflects these values directly into the HTML output without proper sanitization or output escaping, allowing attackers to execute arbitrary scripts in a victim's browser context via a crafted link.","\u002F\u002F Inferred from plugin functionality within frontend rendering logic\n\u002F\u002F The plugin retrieves search or filter parameters from the URL\n$search_val = isset($_GET['tableon_txt_search']) ? $_GET['tableon_txt_search'] : '';\n\n\u002F\u002F Sink: The value is reflected unescaped inside an HTML input attribute\necho '\u003Cinput type=\"text\" class=\"tableon_txt_search\" value=\"' . $search_val . '\" \u002F>';\n\n---\n\n\u002F\u002F Alternatively reflected in AJAX initialization scripts\n$vars = [\n    'search' => $_GET['tableon_txt_search'],\n    \u002F\u002F ... other vars\n];\necho '\u003Cscript>var tableon_data = ' . json_encode($vars) . ';\u003C\u002Fscript>'; \u002F\u002F Often lacks proper WP JSON encoding if older functions are used","--- a\u002Fclasses\u002Ftableon.php\n+++ b\u002Fclasses\u002Ftableon.php\n@@ -124,1 +124,1 @@\n-    echo '\u003Cinput type=\"text\" class=\"tableon_txt_search\" value=\"' . $search_val . '\" \u002F>';\n+    echo '\u003Cinput type=\"text\" class=\"tableon_txt_search\" value=\"' . esc_attr($search_val) . '\" \u002F>';\n\n@@ -150,1 +150,1 @@\n-    echo '\u003Cscript>var tableon_data = ' . json_encode($vars) . ';\u003C\u002Fscript>';\n+    echo '\u003Cscript>var tableon_data = ' . wp_json_encode($vars) . ';\u003C\u002Fscript>';","1. Identify a public page or post on the target WordPress site that utilizes the [tableon] shortcode.\n2. Identify the parameter used for searching within the table, typically `tableon_txt_search` or `tableon_page`.\n3. Craft a malicious payload designed to break out of an HTML attribute (e.g., `\">\u003Cscript>alert(origin)\u003C\u002Fscript>`).\n4. Construct a URL including the payload: `https:\u002F\u002Fexample.com\u002Ftable-page\u002F?tableon_txt_search=\">\u003Cscript>alert(origin)\u003C\u002Fscript>`.\n5. Trick an authenticated user (such as an administrator) or any visitor into clicking the crafted link.\n6. The browser will render the page, reflecting the script into the DOM and executing the JavaScript in the context of the site.","gemini-3-flash-preview","2026-05-05 05:05:04","2026-05-05 05:05:30",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fposts-table-filterable\u002Ftags"]