Plattform
wordpress
Komponente
tablemaster-for-elementor
Behoben in
1.3.7
CVE-2025-14610 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the TableMaster for Elementor WordPress plugin. This flaw allows authenticated attackers to initiate web requests to arbitrary locations, potentially exposing sensitive data or gaining access to internal resources. The vulnerability impacts versions 1.0.0 through 1.3.6 of the plugin, and a patch is available in version 1.3.7.
The SSRF vulnerability in TableMaster for Elementor allows authenticated users with Author-level access or higher to craft malicious requests. An attacker could leverage this to read sensitive files on the server, such as the wp-config.php file, which contains database credentials and other critical configuration information. This could lead to complete compromise of the WordPress site. Furthermore, the attacker could potentially access internal network services or localhost resources, expanding the potential blast radius beyond the web server itself. The ability to make arbitrary requests opens the door to reconnaissance activities and potential exploitation of other vulnerabilities within the WordPress environment.
This vulnerability was publicly disclosed on 2026-01-28. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it relatively easy to exploit. It is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, organizations using TableMaster for Elementor should prioritize patching.
WordPress websites utilizing the TableMaster for Elementor plugin, particularly those with shared hosting environments or legacy configurations, are at risk. Sites where the 'csv_url' parameter is exposed to users with Author or higher roles are especially vulnerable.
• wordpress / composer / npm:
grep -r 'csv_url' /var/www/html/wp-content/plugins/tablemaster-for-elementor/*• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=tablemaster_import_csv&csv_url=http://internal-server/sensitive-file.txt• wordpress / composer / npm:
wp plugin list --status=active | grep tablemaster-for-elementordisclosure
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-14610 is to upgrade the TableMaster for Elementor plugin to version 1.3.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the Data Table widget's 'csv_url' parameter. Web Application Firewalls (WAFs) configured to block requests to internal network addresses or suspicious URLs can provide an additional layer of defense. Monitor web server access logs for unusual outbound requests originating from the plugin’s functionality. After upgrading, confirm the fix by attempting to import a CSV file from an external URL and verifying that the request is properly restricted.
Aktualisieren Sie auf Version 1.3.7 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-14610 is a Server-Side Request Forgery vulnerability affecting TableMaster for Elementor WordPress plugin versions 1.0.0–1.3.6, allowing attackers to make arbitrary web requests.
You are affected if your WordPress site uses TableMaster for Elementor version 1.0.0 through 1.3.6. Upgrade to 1.3.7 to mitigate the risk.
Upgrade the TableMaster for Elementor plugin to version 1.3.7 or later. As a temporary workaround, restrict access to the 'csv_url' parameter.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it could be targeted. Proactive patching is recommended.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.