DB Tables Import/Export CVE-2025-27271
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound DB Tables Import/Export allows Reflected XSS. This issue affects DB Tables Import/Export: from n/a through 1.0.1.
AnalysisAI
Reflected XSS in DB Tables Import/Export WordPress plugin through version 1.0.1 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted links requiring user interaction. The vulnerability stems from inadequate input sanitization during web page generation, enabling scope change attacks with potential for session hijacking, credential theft, and administrative action execution. EPSS score of 0.09% (26th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.
Technical ContextAI
This is a reflected Cross-Site Scripting (CWE-79) vulnerability in a WordPress database management plugin. The plugin fails to properly sanitize user-supplied input before rendering it in HTML responses, allowing injection of malicious JavaScript. The CVSS scope change (S:C) indicates the vulnerable component (plugin) runs in a different security context than the impacted component (user's browser session), enabling attacks beyond the plugin's immediate boundary. As a WordPress plugin handling database import/export operations, this likely processes file uploads, table parameters, or query strings without adequate HTML entity encoding or Content Security Policy protections. The reflected nature means the payload must be delivered to victims through social engineering (phishing links, malicious redirects) rather than being stored persistently.
Affected ProductsAI
WordPress plugin DB Tables Import/Export versions up to and including 1.0.1 are confirmed vulnerable per Patchstack advisory. The vulnerability affects all installations running version 1.0.1 or earlier. Patchstack database references identify this as wordpress/plugin/db-tables-importexport (lowercase variant also referenced). Site administrators can verify installed version through WordPress admin dashboard under Plugins section. The affected version range is explicitly stated as 'from n/a through 1.0.1' meaning all versions up to current release are impacted.
RemediationAI
Immediately upgrade DB Tables Import/Export plugin to version 1.0.2 or later if available from the WordPress plugin repository. Verify patch status at https://patchstack.com/database/wordpress/plugin/db-tables-importexport/vulnerability/wordpress-db-tables-import-export-plugin-1-0-1-reflected-cross-site-scripting-xss-vulnerability as Patchstack tracks confirmed fixes. If no patched version exists, implement compensating controls: restrict plugin access to only trusted administrator accounts through WordPress role management, deploy Web Application Firewall rules to filter common XSS vectors in HTTP parameters (trade-off: potential false positives blocking legitimate database operations), enable Content Security Policy headers to prevent inline script execution (may break plugin functionality requiring testing), or temporarily deactivate the plugin if database import/export features are not actively required. Monitor WordPress access logs for suspicious parameter patterns indicative of XSS probe attempts. As a longer-term mitigation, consider alternative database management plugins with stronger security track records if vendor does not release timely patch.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today