CVE-2025-9543
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-05

Last updated on: 2026-01-08

Assigner: WPScan

Description
The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-08
Generated
2026-05-27
AI Q&A
2026-01-05
EPSS Evaluated
2026-05-25
NVD
CVE-2025-9543
EUVD
EUVD-2026-0836
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor flextable_google_sheets_connector to 3.19.2 (exc)
unknown_vendor sheets-to-wp-table-live-sync to 3.19.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the FlexTable Google Sheets Connector WordPress plugin versions before 3.19.2. The plugin does not properly sanitize and escape links imported from Google Sheets cells. This allows high privilege users, such as administrators, to inject malicious JavaScript code that gets stored and executed when the affected page is viewed, even if the unfiltered_html capability is disabled (for example, in multisite WordPress setups). [1]


How can this vulnerability impact me? :

This vulnerability can allow an attacker with high privileges (like an admin) to execute malicious JavaScript code within the WordPress site. This can lead to unauthorized actions such as stealing cookies, session tokens, or performing actions on behalf of other users. It can compromise the security and integrity of the website and potentially affect site visitors or other users. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the FlexTable Google Sheets Connector WordPress plugin version is prior to 3.19.2. Additionally, you can test for the presence of the vulnerability by importing a Google Sheet containing a malicious payload in a cell (e.g., a URL with a script tag) and then enabling the 'Import links from sheet' option in the plugin's settings. If the JavaScript payload executes when accessing the WordPress page with the table shortcode, the vulnerability is present. There are no specific network or system commands provided to detect this vulnerability. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to update the FlexTable Google Sheets Connector WordPress plugin to version 3.19.2 or later, where the issue has been fixed by properly sanitizing and escaping imported links from Google Sheets cells. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart