Platform
wordpress
Component
tablemaster-for-elementor
Fixed in
1.3.7
CVE-2025-14610 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the TableMaster for Elementor WordPress plugin. This flaw allows authenticated attackers to initiate web requests to arbitrary locations, potentially exposing sensitive data or gaining access to internal resources. The vulnerability impacts versions 1.0.0 through 1.3.6 of the plugin, and a patch is available in version 1.3.7.
The SSRF vulnerability in TableMaster for Elementor allows authenticated users with Author-level access or higher to craft malicious requests. An attacker could leverage this to read sensitive files on the server, such as the wp-config.php file, which contains database credentials and other critical configuration information. This could lead to complete compromise of the WordPress site. Furthermore, the attacker could potentially access internal network services or localhost resources, expanding the potential blast radius beyond the web server itself. The ability to make arbitrary requests opens the door to reconnaissance activities and potential exploitation of other vulnerabilities within the WordPress environment.
This vulnerability was publicly disclosed on 2026-01-28. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it relatively easy to exploit. It is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, organizations using TableMaster for Elementor should prioritize patching.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14610 is to upgrade the TableMaster for Elementor plugin to version 1.3.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the Data Table widget's 'csv_url' parameter. Web Application Firewalls (WAFs) configured to block requests to internal network addresses or suspicious URLs can provide an additional layer of defense. Monitor web server access logs for unusual outbound requests originating from the plugin’s functionality. After upgrading, confirm the fix by attempting to import a CSV file from an external URL and verifying that the request is properly restricted.
Update to version 1.3.7, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14610 is a Server-Side Request Forgery vulnerability affecting TableMaster for Elementor WordPress plugin versions 1.0.0–1.3.6, allowing attackers to make arbitrary web requests.
You are affected if your WordPress site uses TableMaster for Elementor version 1.0.0 through 1.3.6. Upgrade to 1.3.7 to mitigate the risk.
Upgrade the TableMaster for Elementor plugin to version 1.3.7 or later. As a temporary workaround, restrict access to the 'csv_url' parameter.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it could be targeted. Proactive patching is recommended.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.