CVE-2025-32218: Unauthorized Access in TableOn WordPress Plugin

The primary impact of CVE-2025-32218 is unauthorized access and potential data manipulation. An attacker with Subscriber privileges could leverage this vulnerability to modify table configurations, potentially exposing sensitive data or altering the plugin's functionality. While the attacker requires authentication, the ease of obtaining Subscriber access on many WordPress sites significantly broadens the attack surface. This could lead to defacement, data breaches, or even the injection of malicious code through the plugin's interface. The blast radius is limited to the scope of the plugin's functionality and the data it manages, but the potential for disruption and data compromise remains significant.

1. 予約済み2025-04-04
2. 公開日2025-04-04
3. 更新日2026-05-05
4. EPSS 更新日2026-03-23

The primary mitigation for CVE-2025-32218 is to immediately upgrade the TableOn – WordPress Posts Table Filterable plugin to version 1.0.6 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the plugin's administrative interface to users with higher privileges. While a WAF or proxy rule cannot directly address the missing capability check, implementing strict access controls and monitoring plugin activity can help detect and prevent exploitation attempts. Regularly review user roles and permissions within WordPress to ensure the principle of least privilege is enforced.