TableMaster for Elementor <= 1.3.6 - Falsificación de Solicitud del Servidor (Server-Side Request Forgery) Autenticada (Autor+) vía el Parámetro 'csv_url'
Plataforma
wordpress
Componente
tablemaster-for-elementor
Corregido en
1.3.7
CVE-2025-14610 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the TableMaster for Elementor WordPress plugin. This flaw allows authenticated attackers to initiate web requests to arbitrary locations, potentially exposing sensitive data or gaining access to internal resources. The vulnerability impacts versions 1.0.0 through 1.3.6 of the plugin, and a patch is available in version 1.3.7.
Detecta esta CVE en tu proyecto
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Impacto y Escenarios de Ataquetraduciendo…
The SSRF vulnerability in TableMaster for Elementor allows authenticated users with Author-level access or higher to craft malicious requests. An attacker could leverage this to read sensitive files on the server, such as the wp-config.php file, which contains database credentials and other critical configuration information. This could lead to complete compromise of the WordPress site. Furthermore, the attacker could potentially access internal network services or localhost resources, expanding the potential blast radius beyond the web server itself. The ability to make arbitrary requests opens the door to reconnaissance activities and potential exploitation of other vulnerabilities within the WordPress environment.
Contexto de Explotacióntraduciendo…
This vulnerability was publicly disclosed on 2026-01-28. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it relatively easy to exploit. It is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, organizations using TableMaster for Elementor should prioritize patching.
Quién Está en Riesgotraduciendo…
WordPress websites utilizing the TableMaster for Elementor plugin, particularly those with shared hosting environments or legacy configurations, are at risk. Sites where the 'csv_url' parameter is exposed to users with Author or higher roles are especially vulnerable.
Pasos de Deteccióntraduciendo…
• wordpress / composer / npm:
grep -r 'csv_url' /var/www/html/wp-content/plugins/tablemaster-for-elementor/*• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=tablemaster_import_csv&csv_url=http://internal-server/sensitive-file.txt• wordpress / composer / npm:
wp plugin list --status=active | grep tablemaster-for-elementorCronología del Ataque
- Disclosure
disclosure
Inteligencia de Amenazas
Estado del Exploit
EPSS
0.01% (2% percentil)
CISA SSVC
Vector CVSS
¿Qué significan estas métricas?
- Attack Vector
- Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
- Attack Complexity
- Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
- Privileges Required
- Ninguno — sin autenticación. No se necesitan credenciales para explotar.
- User Interaction
- Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
- Scope
- Cambiado — el ataque puede pivotar a otros sistemas más allá del componente vulnerable.
- Confidentiality
- Bajo — acceso parcial o indirecto a algunos datos.
- Integrity
- Bajo — el atacante puede modificar algunos datos con alcance limitado.
- Availability
- Ninguno — sin impacto en disponibilidad.
Software Afectado
Información del paquete
- Instalaciones activas
- 100Nicho
- Valoración del plugin
- 5.0
- Requiere WordPress
- 6.3+
- Compatible hasta
- 7.0
- Requiere PHP
- 7.4+
Clasificación de Debilidad (CWE)
Cronología
- Reservado
- Publicada
- Modificada
- EPSS actualizado
Mitigación y Workaroundstraduciendo…
The primary mitigation for CVE-2025-14610 is to upgrade the TableMaster for Elementor plugin to version 1.3.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the Data Table widget's 'csv_url' parameter. Web Application Firewalls (WAFs) configured to block requests to internal network addresses or suspicious URLs can provide an additional layer of defense. Monitor web server access logs for unusual outbound requests originating from the plugin’s functionality. After upgrading, confirm the fix by attempting to import a CSV file from an external URL and verifying that the request is properly restricted.
Cómo corregirlo
Actualizar a la versión 1.3.7, o una versión parcheada más reciente
Boletín de seguridad CVE
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
Preguntas frecuentestraduciendo…
What is CVE-2025-14610 — SSRF in TableMaster for Elementor?
CVE-2025-14610 is a Server-Side Request Forgery vulnerability affecting TableMaster for Elementor WordPress plugin versions 1.0.0–1.3.6, allowing attackers to make arbitrary web requests.
Am I affected by CVE-2025-14610 in TableMaster for Elementor?
You are affected if your WordPress site uses TableMaster for Elementor version 1.0.0 through 1.3.6. Upgrade to 1.3.7 to mitigate the risk.
How do I fix CVE-2025-14610 in TableMaster for Elementor?
Upgrade the TableMaster for Elementor plugin to version 1.3.7 or later. As a temporary workaround, restrict access to the 'csv_url' parameter.
Is CVE-2025-14610 being actively exploited?
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it could be targeted. Proactive patching is recommended.
Where can I find the official TableMaster for Elementor advisory for CVE-2025-14610?
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
¿Tu proyecto está afectado?
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.