Table Manager WordPress Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure exists in the Table Manager plugin for WordPress, affecting all versions through 1.0.0. The issue arises from the 'table_manager' shortcode, which is handled by the 'tablemanager_render_table_shortcode()' function. This function accepts a user-controlled 'table' attribute and applies minimal sanitization before using it to construct a database table name. It then executes 'DESC' and 'SELECT *' queries on the specified table, rendering the data on the frontend. The vulnerability lacks an allowlist check to restrict access to only plugin-created tables, enabling authenticated attackers with Contributor-level access or higher to extract sensitive data from any WordPress database table.

Impact

Exploitation of this vulnerability could lead to unauthorized access and exposure of sensitive information from WordPress database tables.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can use the 'table_manager' shortcode with a 'table' attribute that specifies a database table name. The shortcode can be inserted into a post or page, which will trigger the 'tablemanager_render_table_shortcode()' function. The function will execute queries on the specified table and display the data, including any sensitive information, on the frontend.