Plugin inspection:

TablePress

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 1.5.1 of this plugin, but the most recent version is 3.0.1. These findings may no longer be correct.

Findings

  • At over 11,000 lines of PHP this is a very large plugin, which makes it difficult to thoroughly assess
  • The plugin intentionally allows importing files on the server as tables ( /wp-admin/admin.php?page=tablepress_import ). There doesn’t seem to be any code specifically designed to prevent importing PHP files so it may be possible to read the contents of some PHP files.
  • The plugin also intentionally allows importing tables from URLs and it is not clear if it disallows internal addresses. It may therefore be possible to make GET requests to download sensitive internal files using WordPress’ download_url() function.

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

Intentionally allows reading the contents of seemingly any file so long as one of the parsers can understand the format. Intentionally allows GET requests to arbitrary locations.

Failure criteria

  • Unsafe request processing
  • Unsafe file or network IO
  • Very large codebase

Read more about our failure criteria.