CVE-2025-12845 Overview
CVE-2025-12845 is a Missing Authorization vulnerability (CWE-862) affecting the Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress. The vulnerability exists due to a missing capability check on the get_table_data() function, allowing authenticated attackers with Subscriber-level access and above to retrieve sensitive plugin table data that can expose email log information. Attackers can leverage this on sites where the table log is enabled in order to trigger a password reset and obtain the reset key, leading to privilege escalation.
Critical Impact
Authenticated attackers with minimal privileges (Subscriber-level) can access sensitive email logs containing password reset keys, enabling full account takeover and privilege escalation to administrator-level access.
Affected Products
- Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin versions 0.5.4 to 1.2.1
- WordPress sites using vulnerable Tablesome plugin versions with email logging enabled
- Any WordPress installation with Subscriber-level user registration enabled
Discovery Timeline
- 2026-02-19 - CVE CVE-2025-12845 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2025-12845
Vulnerability Analysis
This vulnerability stems from improper access control implementation within the Tablesome WordPress plugin. The get_table_data() function lacks proper capability checks, which should verify whether the requesting user has sufficient privileges to access the table data. Without this authorization check, any authenticated user—including those with the lowest privilege level (Subscriber)—can invoke this function and retrieve data that should be restricted to administrators only.
The exploitation pathway is particularly dangerous because the Tablesome plugin can store email logs, including transactional emails like password reset requests. When an attacker triggers a password reset for an administrator account and then exploits this vulnerability to access the email log table, they can obtain the password reset token before the legitimate administrator sees the email. This enables complete account takeover.
Root Cause
The root cause is a missing capability check in the get_table_data() function within the Tablesome plugin. WordPress plugins are expected to verify user capabilities using functions like current_user_can() before allowing access to sensitive data or administrative functions. The absence of this check means the function responds to any authenticated request regardless of the user's role or permissions, violating the principle of least privilege.
Attack Vector
The attack is conducted over the network by authenticated users with minimal privileges. An attacker must first obtain valid credentials for a Subscriber-level account on the target WordPress site, which can be achieved through user registration if enabled. Once authenticated, the attacker can directly call the vulnerable get_table_data() function endpoint to retrieve table contents.
The attack chain for privilege escalation involves:
- Registering or obtaining Subscriber-level access to the target WordPress site
- Initiating a password reset request for an administrator account
- Exploiting the missing capability check to access the email log table data
- Extracting the password reset token from the logged email data
- Using the stolen token to reset the administrator password and gain full control
This vulnerability does not require any user interaction beyond the attacker's own actions, making it particularly exploitable. For technical details on the fix, see the WordPress Changeset Update.
Detection Methods for CVE-2025-12845
Indicators of Compromise
- Unusual API requests to Tablesome plugin endpoints from low-privilege user accounts
- Subscriber-level users accessing administrative table data or email log entries
- Password reset requests followed shortly by table data access from the same or related IP addresses
- Unexpected administrator password changes following plugin table data access
Detection Strategies
- Monitor WordPress AJAX requests for get_table_data actions originating from non-administrator users
- Implement logging for all Tablesome plugin table access attempts and correlate with user privilege levels
- Review WordPress user activity logs for Subscriber accounts making repeated API requests to plugin endpoints
- Set up alerts for password reset requests immediately followed by plugin data access patterns
Monitoring Recommendations
- Enable comprehensive logging of WordPress plugin API calls and user authentication events
- Configure SIEM rules to detect privilege escalation patterns involving password reset flows
- Monitor for rapid sequences of password reset requests followed by table data queries
- Review user registration patterns for potential attacker account creation
How to Mitigate CVE-2025-12845
Immediate Actions Required
- Update the Tablesome Table plugin to a version newer than 1.2.1 immediately
- Audit WordPress user accounts for any unauthorized Subscriber registrations
- Review email logs for potential unauthorized access to password reset tokens
- Reset passwords for all administrator accounts if compromise is suspected
- Temporarily disable user registration if not required for business operations
Patch Information
A security patch addressing the missing capability check has been released. The fix adds proper authorization verification to the get_table_data() function, ensuring that only users with appropriate capabilities can access table data. Site administrators should update to the latest version of the Tablesome plugin through the WordPress admin dashboard or by applying the changeset documented in the WordPress Changeset Update. Additional vulnerability details are available in the Wordfence Vulnerability Report.
Workarounds
- Disable the email logging feature in Tablesome plugin settings until the patch is applied
- Restrict user registration to prevent attackers from obtaining Subscriber accounts
- Implement web application firewall rules to block unauthorized access to plugin endpoints
- Remove Subscriber-level users that are not actively needed for site operations
# Verify current Tablesome plugin version
wp plugin list --name=tablesome --fields=name,version,update_version
# Update Tablesome plugin to latest version
wp plugin update tablesome
# List all subscriber-level users for audit
wp user list --role=subscriber --fields=ID,user_login,user_email,user_registered
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
