Pricing Table builder CVE-2025-62886
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in wpdevart Pricing Table builder wpdevart-pricing-table allows Stored XSS.This issue affects Pricing Table builder: from n/a through <= 1.5.3.
AnalysisAI
Cross-site request forgery enables stored XSS injection in WordPress Pricing Table builder plugin versions up to 1.5.3. Remote unauthenticated attackers can trick authenticated WordPress administrators into executing malicious requests that inject persistent JavaScript payloads into pricing table configurations. EPSS score of 0.02% (4th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. The changed scope (S:C) in CVSS vector indicates potential for broader site compromise beyond the plugin's security context.
Technical ContextAI
WordPress Pricing Table builder is a plugin for creating and managing pricing tables in WordPress sites. This vulnerability chains two distinct weaknesses: CWE-352 (Cross-Site Request Forgery) as the initial attack vector, enabling a subsequent stored XSS attack. The CSRF weakness allows attackers to forge requests from authenticated administrators without proper anti-CSRF token validation. The stored XSS component persists malicious JavaScript in the database, affecting all users who view the compromised pricing tables. The CVSS changed scope (S:C) metric indicates the XSS payload can execute in a different security context than the vulnerable plugin component, potentially accessing broader WordPress site resources or session data.
Affected ProductsAI
WordPress Pricing Table builder plugin by wpdevart, all versions from earliest release through version 1.5.3 inclusive. The vulnerability report from Patchstack specifically identifies version 1.5.1 as affected, with the NVD record extending coverage through 1.5.3. Exact CPE designation not provided in available data. Affects WordPress installations running the wpdevart-pricing-table plugin at vulnerable versions. Vendor advisory and detailed vulnerability information available at Patchstack database reference link.
RemediationAI
Upgrade WordPress Pricing Table builder plugin to version 1.5.4 or later if available, verifying from the WordPress plugin repository or wpdevart vendor site that the fixed version addresses CVE-2025-62886. Check Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/wpdevart-pricing-table/ for confirmed fix version and vendor advisory. If immediate patching is not feasible, implement compensating controls: disable or remove the wpdevart-pricing-table plugin until patched version is deployed; educate WordPress administrators to avoid clicking external links while authenticated to wp-admin dashboard; implement WordPress security plugins with CSRF protection and XSS filtering capabilities; restrict wp-admin access to trusted IP ranges via .htaccess or firewall rules, noting this may impact legitimate remote administration; conduct security audit of existing pricing tables for injected JavaScript payloads, examining table content in database wp_posts and plugin-specific tables for suspicious script tags or event handlers. Note that access restrictions impact administrative workflows and should be balanced against operational requirements.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today