CVE-2025-15058 Overview
The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the table_currency parameter in all versions up to, and including, 5.1.12. This vulnerability exists due to insufficient input sanitization and output escaping in the plugin's currency handling functionality. Authenticated attackers with Contributor-level access and above can inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page.
Critical Impact
Authenticated attackers can inject malicious JavaScript that executes in the browsers of site visitors, potentially leading to session hijacking, credential theft, or website defacement.
Affected Products
- Responsive Pricing Table WordPress Plugin versions up to and including 5.1.12
- WordPress installations with the dk-pricr-responsive-pricing-table plugin enabled
- Any site allowing Contributor-level or higher user access
Discovery Timeline
- January 7, 2026 - CVE-2025-15058 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2025-15058
Vulnerability Analysis
This vulnerability is classified as CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page). The Responsive Pricing Table plugin fails to properly sanitize user-supplied input in the table_currency parameter before storing it in the database and subsequently rendering it on the frontend. When a user with at least Contributor-level privileges creates or modifies a pricing table, they can embed malicious JavaScript code within the currency field. This script is then stored persistently and executed in the context of any visitor's browser session when they view the page containing the pricing table.
The network-accessible nature of this vulnerability combined with the low complexity required for exploitation makes it particularly concerning for WordPress sites that allow multiple user roles. The cross-site scope means that attacks can affect users and resources beyond the vulnerable WordPress installation itself.
Root Cause
The root cause of this vulnerability lies in the plugin's insufficient input sanitization and output escaping mechanisms. When processing the table_currency parameter, the plugin does not adequately validate or sanitize the input to remove or neutralize potentially malicious HTML or JavaScript content. Additionally, the output escaping is either missing or improperly implemented when the stored currency value is rendered on the page, allowing the injected scripts to execute in the user's browser.
Attack Vector
The attack requires network access and authentication with at least Contributor-level privileges on the target WordPress site. An attacker would:
- Log into the WordPress dashboard with a Contributor or higher-level account
- Navigate to the Responsive Pricing Table plugin settings or create a new pricing table
- Insert malicious JavaScript payload into the table_currency parameter field
- Save the pricing table configuration
- Wait for site visitors or administrators to view pages containing the compromised pricing table
The malicious script then executes in the context of each visitor's browser session, potentially allowing the attacker to steal session cookies, redirect users to malicious sites, modify page content, or perform actions on behalf of authenticated users.
Detection Methods for CVE-2025-15058
Indicators of Compromise
- Unusual or obfuscated content in the table_currency field of pricing table configurations
- JavaScript code or HTML tags present in currency parameter values in the WordPress database
- Reports of unexpected browser behavior when viewing pages with pricing tables
- Suspicious network requests originating from pages containing the Responsive Pricing Table plugin
Detection Strategies
- Review WordPress database entries for the Responsive Pricing Table plugin for script tags or event handlers in currency fields
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor WordPress audit logs for modifications to pricing table configurations by Contributor-level users
- Use web application firewall (WAF) rules to detect XSS payloads in plugin parameters
Monitoring Recommendations
- Enable WordPress activity logging to track changes to plugin configurations
- Implement real-time alerting for detected XSS patterns in form submissions
- Regularly scan stored content for malicious script patterns
- Monitor browser console errors and CSP violation reports from site visitors
How to Mitigate CVE-2025-15058
Immediate Actions Required
- Update the Responsive Pricing Table plugin to a patched version newer than 5.1.12 when available
- Audit existing pricing table configurations for suspicious content in the table_currency field
- Review and restrict user roles with Contributor-level access or higher
- Implement Content Security Policy headers to mitigate XSS impact
Patch Information
Review the WordPress Plugin Description page for the latest version information and update announcements. For detailed vulnerability information, consult the Wordfence Vulnerability Report.
Workarounds
- Temporarily disable the Responsive Pricing Table plugin until a patch is available
- Restrict Contributor-level access to trusted users only while the vulnerability remains unpatched
- Implement a Web Application Firewall (WAF) with XSS detection rules
- Add server-side input validation for the table_currency parameter through custom code or security plugins
# WordPress CLI command to deactivate the vulnerable plugin temporarily
wp plugin deactivate dk-pricr-responsive-pricing-table
# List users with Contributor role to audit access
wp user list --role=contributor --format=table
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
