Skip to main content

DB Tables Import/Export CVE-2025-27271

HIGH
Cross-site Scripting (XSS) (CWE-79)
2025-03-03 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 25, 2026 - 00:53 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
CVE Published
Mar 03, 2025 - 14:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound DB Tables Import/Export allows Reflected XSS. This issue affects DB Tables Import/Export: from n/a through 1.0.1.

AnalysisAI

Reflected XSS in DB Tables Import/Export WordPress plugin through version 1.0.1 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted links requiring user interaction. The vulnerability stems from inadequate input sanitization during web page generation, enabling scope change attacks with potential for session hijacking, credential theft, and administrative action execution. EPSS score of 0.09% (26th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.

Technical ContextAI

This is a reflected Cross-Site Scripting (CWE-79) vulnerability in a WordPress database management plugin. The plugin fails to properly sanitize user-supplied input before rendering it in HTML responses, allowing injection of malicious JavaScript. The CVSS scope change (S:C) indicates the vulnerable component (plugin) runs in a different security context than the impacted component (user's browser session), enabling attacks beyond the plugin's immediate boundary. As a WordPress plugin handling database import/export operations, this likely processes file uploads, table parameters, or query strings without adequate HTML entity encoding or Content Security Policy protections. The reflected nature means the payload must be delivered to victims through social engineering (phishing links, malicious redirects) rather than being stored persistently.

Affected ProductsAI

WordPress plugin DB Tables Import/Export versions up to and including 1.0.1 are confirmed vulnerable per Patchstack advisory. The vulnerability affects all installations running version 1.0.1 or earlier. Patchstack database references identify this as wordpress/plugin/db-tables-importexport (lowercase variant also referenced). Site administrators can verify installed version through WordPress admin dashboard under Plugins section. The affected version range is explicitly stated as 'from n/a through 1.0.1' meaning all versions up to current release are impacted.

RemediationAI

Immediately upgrade DB Tables Import/Export plugin to version 1.0.2 or later if available from the WordPress plugin repository. Verify patch status at https://patchstack.com/database/wordpress/plugin/db-tables-importexport/vulnerability/wordpress-db-tables-import-export-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability as Patchstack tracks confirmed fixes. If no patched version exists, implement compensating controls: restrict plugin access to only trusted administrator accounts through WordPress role management, deploy Web Application Firewall rules to filter common XSS vectors in HTTP parameters (trade-off: potential false positives blocking legitimate database operations), enable Content Security Policy headers to prevent inline script execution (may break plugin functionality requiring testing), or temporarily deactivate the plugin if database import/export features are not actively required. Monitor WordPress access logs for suspicious parameter patterns indicative of XSS probe attempts. As a longer-term mitigation, consider alternative database management plugins with stronger security track records if vendor does not release timely patch.

Share

CVE-2025-27271 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy