CVE-2025-12845
Awaiting Analysis Awaiting Analysis - Queue
Unauthorized Access in Tablesome Table Plugin Enables Privilege Escalation

Publication date: 2026-02-19

Last updated on: 2026-02-19

Assigner: Wordfence

Description
The Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing capability check on the get_table_data() function in versions 0.5.4 to 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12845
EUVD
EUVD-2025-207879
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
tablesome tablesome From 0.5.4 (inc) to 1.2.1 (inc)
tablesome table_contact_form_db From 0.5.4 (inc) to 1.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress, specifically in versions 0.5.4 to 1.2.1. It is caused by a missing capability check on the get_table_data() function, which allows authenticated users with Subscriber-level access or higher to access plugin table data without proper authorization.

This unauthorized access can expose sensitive email log information stored by the plugin. Attackers can exploit this to trigger password resets and obtain reset keys, potentially escalating their privileges on the affected WordPress site.

Impact Analysis

This vulnerability can lead to serious security impacts including unauthorized disclosure of sensitive email log data.

  • Exposure of email log information that may contain personal or sensitive data.
  • Privilege escalation by attackers who can use the exposed data to trigger password resets and obtain reset keys.
  • Potential full account takeover or unauthorized access to user accounts on the WordPress site.

Overall, this can compromise the confidentiality, integrity, and availability of the affected system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should update the Tablesome Table – Contact Form DB plugin to version 1.2.2 or later, as this version includes multiple code improvements and likely security fixes.

Additionally, restrict Subscriber-level access where possible and disable the table log feature if it is not needed, to reduce the risk of attackers leveraging the vulnerability to obtain password reset keys.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12845. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart