TablePress is one of the most popular WordPress plugins for creating and managing tables. With over 800,000 active installs, its ease of use and feature-rich nature have made it a favorite for both beginners and professionals. However, in early 2024, a serious vulnerability was discovered: CVE-2024-23825. If you run TablePress under certain conditions, you could accidentally leak highly sensitive information—even AWS credentials—just by importing a table.
In this guide, we’ll break down the vulnerability, walk through an exploit demonstration, and offer tips to keep your site secure.
What is TablePress and Why Is This Serious?
TablePress lets users import and export tables in various formats, and it allows importing tables from external URLs. The plugin fetches content from a provided link and then parses it into a table format. But here’s the problem: TablePress didn’t properly filter or restrict which URLs users can supply. This means someone could make WordPress reach out to any HTTP URL, including internal addresses.
The AWS Metadata API Problem
If your WordPress site is running on Amazon EC2 or any cloud provider with an internal metadata API, users (or attackers) can point TablePress to those internal URLs. For EC2, this API typically lives at http://169.254.169.254/. If your instance is misconfigured, an attacker can fetch internal credentials just by telling TablePress to import a table from this URL.
Normally, an admin (or another user, depending on permissions) can import a table using a URL like
https://example.com/mydata.csv
TablePress goes out to the internet, grabs the file, and loads the data.
An attacker, using the same import feature, enters a local AWS metadata URL
http://169.254.169.254/latest/meta-data/iam/security-credentials/
Instead of fetching a CSV, TablePress is now making a network request inside the cloud environment, possibly exposing a list of role names.
With another import, the attacker can retrieve credentials
http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME_HERE
TablePress will display the contents in a table—or in an error or log message—giving the attacker sensitive internal secrets.
Suppose the following PHP snippet is at the heart of TablePress’s import code (simplified)
// Vulnerable code in TablePress before version 2.2.5
$import_url = $_POST['import_url']; // from user input
$table_data = file_get_contents($import_url); // fetch URL content
if ($table_data !== false) {
// process data...
} else {
// handle error
}
The problem is that there's no tight control over what URLs are allowed.
Exploit Consequences
If your EC2 instance has a powerful IAM role (like S3 full access), an attacker could get full AWS credentials. From there, they could:
Links & References
- Original GitHub advisory
- NIST NVD CVE-2024-23825 entry
- TablePress official changelog – 2.2.5
1. Update TablePress Immediately
This issue is fixed in version 2.2.5 and later. The patched code blocks internal/private IPs and other unsafe destinations:
// Example of safe URL validation (simplified)
if (!filter_var($import_url, FILTER_VALIDATE_URL) || is_internal_ip($import_url)) {
// block the request!
}
2. Lock Down Instance Metadata Access
- Block metadata API access unless absolutely required. On AWS, you can set the IMDSv2 requirement.
3. Use a Web Application Firewall (WAF)
Filter out suspicious requests or POST data before they reach WordPress.
4. Limit Who Can Import Tables
Restrict who can add or import tables in TablePress, ideally to trusted admins only.
Conclusion
CVE-2024-23825 isn’t just a theoretical risk—it’s a critical flaw that could leak the most sensitive secrets in your cloud, with just a few clicks. This shows why plugins that make server-side HTTP requests must always *validate and restrict URLs*. If you use TablePress, make sure you upgrade now and audit your WordPress security as well as your cloud settings.
Stay safe, patch quickly, and always read the release notes!
Want to read more on TablePress Security?
Check out the official advisory post from TablePress.
Timeline
Published on: 01/30/2024 17:15:11 UTC
Last modified on: 02/05/2024 18:46:02 UTC