Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the TableGen – Data Table Generator plugin for WordPress. It occurs due to insufficient input sanitization and output escaping in the admin settings, allowing authenticated users with administrator-level permissions or higher to inject malicious web scripts. These scripts execute whenever a user accesses the affected page. The vulnerability affects multi-site installations and installations where the unfiltered_html setting is disabled, and it exists in all versions up to and including 1.3.1.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

An attacker with administrator-level access can inject malicious scripts that execute in the context of users visiting the affected pages. This can lead to unauthorized actions, data theft, session hijacking, or other malicious activities performed on behalf of the victim user. Since the vulnerability requires high privileges and affects multi-site or restricted HTML installations, the impact is limited to environments with these conditions.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, immediately update the TableGen – Data Table Generator plugin to a version later than 1.3.1 where the issue is fixed. Additionally, restrict administrator-level permissions to trusted users only, and consider enabling unfiltered_html if it is safe to do so. For multi-site installations, review and sanitize admin settings inputs to prevent stored cross-site scripting.

Useful 0 Not Useful 0