CVE-2026-3513 Overview
The TableOn – WordPress Posts Table Filterable plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in the tableon_button shortcode. All versions up to and including 1.0.4.4 are affected due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. This vulnerability allows authenticated attackers with Contributor-level access or above to inject arbitrary web scripts into pages that execute whenever a user accesses an injected page.
Critical Impact
Authenticated attackers can persistently inject malicious JavaScript that executes in visitors' browsers, potentially leading to session hijacking, credential theft, or defacement of WordPress sites using this plugin.
Affected Products
- TableOn – WordPress Posts Table Filterable plugin versions up to and including 1.0.4.4
- WordPress sites with Contributor-level or above user accounts enabled
Discovery Timeline
- 2026-04-08 - CVE CVE-2026-3513 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-3513
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability exists within the shortcode processing functionality of the TableOn plugin. The vulnerability stems from the do_shortcode_button() function which extracts user-supplied shortcode attributes without proper sanitization before passing them to the TABLEON_HELPER::draw_html_item() method. The affected attributes include class, help_link, popup_title, and help_title.
When processing these attributes, the helper function concatenates attribute values into HTML output using single quotes without proper escaping. Specifically, at line 29 of the helper code, the construction $item .= " {$key}='{$value}'" directly inserts unsanitized user input into HTML attributes, creating an exploitable injection point.
Since this is a Stored XSS vulnerability, the malicious payload persists in the WordPress database and executes every time a user views the affected page, making it particularly dangerous for high-traffic sites.
Root Cause
The root cause is the absence of input sanitization and output escaping in the shortcode attribute handling process. The do_shortcode_button() function fails to validate or sanitize the shortcode attributes before they are processed. Additionally, the TABLEON_HELPER::draw_html_item() function does not apply proper HTML escaping functions (such as WordPress's esc_attr()) when concatenating attribute values into the HTML output. This violates the fundamental security principle of treating all user input as untrusted and properly encoding output based on context.
Attack Vector
The attack vector requires an authenticated attacker with at least Contributor-level privileges on the WordPress site. The attacker creates or edits a post or page containing a malicious tableon_button shortcode with crafted attribute values designed to break out of the single-quoted HTML attribute context.
An attacker would craft a shortcode with malicious JavaScript payloads embedded in vulnerable attributes like class, help_link, popup_title, or help_title. When the page containing this shortcode is rendered, the unsanitized attribute values are directly inserted into the HTML, allowing the attacker to inject event handlers or break out of the attribute context to execute arbitrary JavaScript in the context of any user viewing the page.
Detection Methods for CVE-2026-3513
Indicators of Compromise
- Review WordPress posts and pages for suspicious tableon_button shortcode usage containing JavaScript event handlers or encoded payloads
- Monitor for unexpected shortcode attributes containing characters such as single quotes, angle brackets, or javascript: protocol handlers
- Audit user activity logs for Contributor-level users creating or modifying content with shortcodes
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect XSS patterns in shortcode attributes
- Use WordPress security plugins to scan for stored XSS patterns in post content
- Enable Content Security Policy (CSP) headers to detect and report inline script execution attempts
Monitoring Recommendations
- Enable detailed logging for WordPress post and page modifications, particularly those containing shortcodes
- Monitor browser console errors and CSP violation reports for signs of blocked malicious script execution
- Regularly audit user roles and remove unnecessary Contributor-level access where possible
How to Mitigate CVE-2026-3513
Immediate Actions Required
- Update the TableOn – WordPress Posts Table Filterable plugin to the latest patched version immediately
- Audit existing posts and pages for potentially malicious tableon_button shortcode usage
- Review and restrict Contributor-level user permissions until the update is applied
- Implement Content Security Policy headers to mitigate the impact of any existing injected scripts
Patch Information
Security patches have been released through the WordPress plugin repository. Administrators should update to the latest version of the TableOn – WordPress Posts Table Filterable plugin through the WordPress admin dashboard or by downloading from the official plugin repository. The patch addresses the vulnerability by implementing proper input sanitization using sanitize_text_field() and output escaping using esc_attr() for shortcode attributes before they are rendered in HTML. For detailed changeset information, refer to the WordPress Changeset Details. Additional vulnerability information is available in the Wordfence Vulnerability Report.
Workarounds
- Temporarily disable the TableOn – WordPress Posts Table Filterable plugin until a patch can be applied
- Restrict user registration and demote existing Contributor-level users to Subscriber level where possible
- Implement server-side input validation using a WAF to filter potentially malicious shortcode attribute values
- Enable strict Content Security Policy headers to prevent execution of inline scripts as a defense-in-depth measure
# Add Content Security Policy header in .htaccess as interim protection
Header set Content-Security-Policy "script-src 'self'; object-src 'none';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
