CVE-2026-3513

Name of the Vulnerable Software and Affected Versions TableOn – WordPress Posts Table Filterable plugin versions up to and including 1.0.4.4

Description The TableOn – WordPress Posts Table Filterable plugin is susceptible to Stored Cross-Site Scripting. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as class, help link, popup title, and help title. The do shortcode button() function extracts these attributes without sanitization and passes them to TABLEON HELPER::draw html item(), which concatenates attribute values into HTML using single quotes without escaping. This allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages, which will execute when a user accesses the injected page.

Recommendations Update to a version later than 1.0.4.4