{"id":"CVE-2025-2685","details":"The TablePress – Tables in WordPress made easy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘table-name’ parameter in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","modified":"2026-03-14T15:04:06.838620Z","published":"2025-03-27T06:15:29.550Z","references":[{"type":"WEB","url":"https://plugins.trac.wordpress.org/browser/tablepress/trunk/views/class-all-tables-list-table.php#L242"},{"type":"WEB","url":"https://plugins.trac.wordpress.org/changeset/3261229/"},{"type":"ADVISORY","url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/e285849f-886e-49ba-bb43-8c67655fe239?source=cve"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tablepress/tablepress","events":[{"introduced":"0"},{"fixed":"c7b857f2bd9adeb70f82f272c7c0fdaa4eebc8b9"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.1"}]}}],"versions":["0.4-alpha","0.5-alpha","0.6-beta","0.7-beta","0.8-beta","0.9-RC","1.0","1.1","1.1.1","1.10","1.11","1.12","1.13","1.14","1.2","1.3","1.4","1.5","1.5.1","1.6","1.6.1","1.7","1.8","1.8.1","1.9","1.9.1","1.9.2","2.0","2.0-RC1","2.0-RC2","2.0-RC3","2.0-beta1","2.0-beta2","2.0.1","2.0.2","2.0.3","2.0.4","2.1","2.1.1","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.2","2.2.1","2.2.2","2.2.3","2.2.4","2.2.5","2.3","2.3.1","2.3.2","2.4","2.4.1","2.4.2","2.4.3","2.4.4","3.0","3.0.1","3.0.2","3.0.3","3.0.4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-2685.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}