Introduction
Attackers can upload arbitrary files to vulnerable WordPress sites running the Tablesome Table plugin, potentially gaining remote code execution if the server is misconfigured. This issue affects thousands of sites and is trivial to exploit in certain configurations, making it a high-priority risk for any organization using this plugin.
Tablesome Table is a moderately popular WordPress plugin developed by essekia, with over 228,000 downloads and about 9,000 active installations. It enables users to create responsive tables and manage contact form submissions. The plugin's broad feature set and integration with popular form plugins have made it a common choice for WordPress site administrators.
Technical Information
The vulnerability resides in the set_featured_image_from_external_url() function, found in the plugin's workflow library (wp-post-creation.php, line 309). This function is responsible for handling featured image uploads via external URLs as part of the plugin's workflow automation system. The core issue is the absence of adequate server-side file type validation. When a workflow is configured to allow unauthenticated users to submit featured images, the plugin fails to verify that the uploaded file is a legitimate image. As a result, attackers can upload files with dangerous extensions, such as .php, which may be executed by the server if the upload directory allows it.
The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). Attackers can exploit this by crafting HTTP requests that submit malicious files through the vulnerable workflow. The risk is highest in environments where workflows are set up to accept featured images from unauthenticated users and where the web server executes PHP files in the upload directory. No public code snippets are available, but the vulnerable function and file location are documented in the plugin's source and advisory references.
Affected Systems and Versions
- Product: Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress
- Affected versions: All versions up to and including 1.1.32
- Vulnerable configurations: Sites where workflows allow unauthenticated users to upload featured images and where the server executes PHP files in the upload directory
Vendor Security History
Tablesome Table has a notable history of security issues. Prior vulnerabilities include:
- CVE-2024-37498 (sensitive data exposure via API, up to 1.0.33)
- CVE-2024-31388 (cross-site request forgery, up to 1.0.25)
- CVE-2024-29110 (reflected cross-site scripting, up to 1.0.27)
The developer has released patches for these issues, but the recurrence of input validation and authorization problems indicates ongoing challenges with secure development practices.
