Which TablePress – Tables in WordPress made easy CVEs are tracked?

TablePress – Tables in WordPress made easy tracked CVEs include CVE-2024-23825, CVE-2019-20180, CVE-2025-12324, CVE-2025-9500, and CVE-2025-5096.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 9 known issues Latest disclosed Nov 03, 2025

TablePress – Tables in WordPress made easy Vulnerabilities

Q: How many TablePress – Tables in WordPress made easy vulnerabilities have patch guidance?

9 of 9 tracked TablePress – Tables in WordPress made easy records include a published patch path.

Review known vulnerability records for the WordPress plugin TablePress – Tables in WordPress made easy (`tablepress`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-12324, CVE-2025-9500 and CVE-2025-5096, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Nov 04, 2025

Priority CVE Quick Links

Fast paths into TablePress – Tables in WordPress made easy CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2024-23825 High 2.2.5

CVE-2024-23825 TablePress – Tables in WordPress made easy Server-Side Request Forgery

TablePress <= 2.2.4 - Authenticated(Author+) Server Side Request Forgery(SSRF) via _get_import_files

CVE-2019-20180 High 2.0

CVE-2019-20180 TablePress – Tables in WordPress made easy Vulnerability

TablePress <= 1.14 - Authenticated (Author+) CSV Injection

CVE-2025-12324 Medium 3.2.5

CVE-2025-12324 TablePress – Tables in WordPress made easy Stored Cross-Site Scripting

TablePress – Tables in WordPress made easy <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

CVE-2025-9500 Medium 3.2.1

CVE-2025-9500 TablePress – Tables in WordPress made easy Stored Cross-Site Scripting

TablePress <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode_debug Parameter

CVE-2025-5096 Medium 3.1.3

CVE-2025-5096 TablePress – Tables in WordPress made easy Stored Cross-Site Scripting

TablePress <= 3.1.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters

CVE-2025-2685 Medium 3.1

CVE-2025-2685 TablePress – Tables in WordPress made easy Stored Cross-Site Scripting

TablePress – Tables in WordPress made easy <= 3.0.4 - Authenticated (Author+) Stored Cross-Site Scripting

CVE-2024-9595 Medium 2.4.3

CVE-2024-9595 TablePress – Tables in WordPress made easy Stored Cross-Site Scripting

TablePress <= 2.4.2 - Authenticated (Author+) Stored Cross-Site Scripting

CVE-2024-4354 Medium 2.3.2

CVE-2024-4354 TablePress – Tables in WordPress made easy Server-Side Request Forgery

TablePress – Tables in WordPress made easy <= 2.3 - Authenticated (Author+) Server-Side Request Forgery via DNS Rebind

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for TablePress – Tables in WordPress made easy so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

9 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

0 critical and 2 high severity findings.

Recent CVEs

CVE-2025-12324, CVE-2025-9500 and CVE-2025-5096

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-12324 Medium Patch path listed

CVE-2025-12324: TablePress – Tables in WordPress made easy <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `table` shortcode attributes in all versions up to, and incl...

Published

Nov 03, 2025

Patch Status

3.2.5

Open CVE-2025-12324 Report

CVE-2025-9500 Medium Patch path listed

CVE-2025-9500: TablePress <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode_debug Parameter

The TablePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘shortcode_debug’ parameter in all versions up to, and including, 3.2 due to insufficient input sanit...

Published

Aug 29, 2025

Patch Status

3.2.1

Open CVE-2025-9500 Report

CVE-2025-5096 Medium Patch path listed

CVE-2025-5096: TablePress <= 3.1.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters

The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes...

Published

May 22, 2025

Patch Status

3.1.3

Open CVE-2025-5096 Report

Known Vulnerabilities

Reports for TablePress – Tables in WordPress made easy

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-12324

CVE-2025-12324: TablePress – Tables in WordPress made easy <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `table` shortcode attributes in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping on user supplied a...

Published

Nov 03, 2025

Patched Release

3.2.5

Affected Versions

Versions up to 3.2.4

Next Step

Update to 3.2.5 or newer if supported.

Open CVE-2025-12324 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-9500

CVE-2025-9500: TablePress <= 3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode_debug Parameter

The TablePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘shortcode_debug’ parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Cont...

Published

Aug 29, 2025

Patched Release

3.2.1

Affected Versions

Versions up to 3.2

Next Step

Update to 3.2.1 or newer if supported.

Open CVE-2025-9500 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-5096

CVE-2025-5096: TablePress <= 3.1.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters

The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and ou...

Published

May 22, 2025

Patched Release

3.1.3

Affected Versions

Versions up to 3.1.2

Next Step

Update to 3.1.3 or newer if supported.

Open CVE-2025-5096 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-2685

CVE-2025-2685: TablePress – Tables in WordPress made easy <= 3.0.4 - Authenticated (Author+) Stored Cross-Site Scripting

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘table-name’ parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authe...

Published

Mar 26, 2025

Patched Release

3.1

Affected Versions

Versions up to 3.0.4

Next Step

Update to 3.1 or newer if supported.

Open CVE-2025-2685 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-9595

CVE-2024-9595: TablePress <= 2.4.2 - Authenticated (Author+) Stored Cross-Site Scripting

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the table cell content in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authentic...

Published

Oct 11, 2024

Patched Release

2.4.3

Affected Versions

Versions up to 2.4.2

Next Step

Update to 2.4.3 or newer if supported.

Open CVE-2024-9595 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-4354

CVE-2024-4354: TablePress – Tables in WordPress made easy <= 2.3 - Authenticated (Author+) Server-Side Request Forgery via DNS Rebind

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3 via the get_files_to_import() function. This makes it possible for authenticated attackers, with author-level access and abov...

Published

Jun 06, 2024

Patched Release

2.3.2

Affected Versions

Versions up to 2.3.1

Next Step

Update to 2.3.2 or newer if supported.

Open CVE-2024-4354 Report Open CVE Reference

Plugin High Patched: Yes CVE-2024-23825

CVE-2024-23825: TablePress <= 2.2.4 - Authenticated(Author+) Server Side Request Forgery(SSRF) via _get_import_files

The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to and including 2.2.4 via the '_get_import_files' function. This makes it possible for authenticated attackers, with author access and above, to make w...

Published

Jan 31, 2024

Patched Release

2.2.5

Affected Versions

Versions up to 2.2.4

Next Step

Update to 2.2.5 or newer if supported.

Open CVE-2024-23825 Report Open CVE Reference

Plugin High Patched: Yes CVE-2019-20180

CVE-2019-20180: TablePress <= 1.14 - Authenticated (Author+) CSV Injection

The TablePress plugin for WordPress is vulnerable to CSV Injection in versions up to and including 1.14 via the tablepress[data] value. This makes it possible for attackers with author level access and above to embed untrusted input into exported CSV files, which can result in co...

Published

Feb 01, 2020

Patched Release

2.0

Affected Versions

Versions up to 1.14

Next Step

Update to 2.0 or newer if supported.

Open CVE-2019-20180 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2017-10889

CVE-2017-10889: TablePress <= 1.8 - XML External Entity Injection

TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.

Published

Jul 04, 2017

Patched Release

1.8.1

Affected Versions

Versions up to 1.8

Next Step

Update to 1.8.1 or newer if supported.

Open CVE-2017-10889 Report Open CVE Reference