Plataforma
wordpress
Componente
tablemaster-for-elementor
Corregido en
1.3.7
CVE-2025-14610 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the TableMaster for Elementor WordPress plugin. This flaw allows authenticated attackers to initiate web requests to arbitrary locations, potentially exposing sensitive data or gaining access to internal resources. The vulnerability impacts versions 1.0.0 through 1.3.6 of the plugin, and a patch is available in version 1.3.7.
The SSRF vulnerability in TableMaster for Elementor allows authenticated users with Author-level access or higher to craft malicious requests. An attacker could leverage this to read sensitive files on the server, such as the wp-config.php file, which contains database credentials and other critical configuration information. This could lead to complete compromise of the WordPress site. Furthermore, the attacker could potentially access internal network services or localhost resources, expanding the potential blast radius beyond the web server itself. The ability to make arbitrary requests opens the door to reconnaissance activities and potential exploitation of other vulnerabilities within the WordPress environment.
This vulnerability was publicly disclosed on 2026-01-28. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it relatively easy to exploit. It is not currently listed on the CISA KEV catalog. Given the ease of exploitation and the potential impact, organizations using TableMaster for Elementor should prioritize patching.
WordPress websites utilizing the TableMaster for Elementor plugin, particularly those with shared hosting environments or legacy configurations, are at risk. Sites where the 'csv_url' parameter is exposed to users with Author or higher roles are especially vulnerable.
• wordpress / composer / npm:
grep -r 'csv_url' /var/www/html/wp-content/plugins/tablemaster-for-elementor/*• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=tablemaster_import_csv&csv_url=http://internal-server/sensitive-file.txt• wordpress / composer / npm:
wp plugin list --status=active | grep tablemaster-for-elementordisclosure
Estado del Exploit
EPSS
0.01% (2% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-14610 is to upgrade the TableMaster for Elementor plugin to version 1.3.7 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the Data Table widget's 'csv_url' parameter. Web Application Firewalls (WAFs) configured to block requests to internal network addresses or suspicious URLs can provide an additional layer of defense. Monitor web server access logs for unusual outbound requests originating from the plugin’s functionality. After upgrading, confirm the fix by attempting to import a CSV file from an external URL and verifying that the request is properly restricted.
Actualizar a la versión 1.3.7, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-14610 is a Server-Side Request Forgery vulnerability affecting TableMaster for Elementor WordPress plugin versions 1.0.0–1.3.6, allowing attackers to make arbitrary web requests.
You are affected if your WordPress site uses TableMaster for Elementor version 1.0.0 through 1.3.6. Upgrade to 1.3.7 to mitigate the risk.
Upgrade the TableMaster for Elementor plugin to version 1.3.7 or later. As a temporary workaround, restrict access to the 'csv_url' parameter.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it could be targeted. Proactive patching is recommended.
Refer to the plugin developer's website or WordPress.org plugin page for the latest advisory and update information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.