📄 Description (English)
The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the 'csv_url' parameter.
🤖 AI Executive Summary
TableMaster for Elementor plugin versions up to 1.3.6 contain a Server-Side Request Forgery (SSRF) vulnerability allowing authenticated users with Author-level access to make arbitrary web requests and access sensitive files like wp-config.php. The vulnerability affects the CSV import functionality in the Data Table widget through an unvalidated 'csv_url' parameter. This poses significant risk to WordPress-based websites in Saudi Arabia, particularly those managing sensitive business data through Elementor-based platforms.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 8, 2026 08:19
🇸🇦 Saudi Arabia Impact Assessment
High impact for Saudi e-commerce platforms, government websites, and corporate portals built with WordPress and Elementor. Most at-risk sectors include: Banking and Financial Services (SAMA-regulated entities using WordPress for customer portals), Government agencies (NCA oversight), Healthcare providers (SEHA-affiliated organizations), Telecommunications (STC, Mobily), and Energy sector (ARAMCO contractors). The vulnerability allows internal network reconnaissance and potential access to database credentials stored in wp-config.php, enabling lateral movement within organizational networks. Particularly critical for organizations with multi-tier network architectures common in Saudi enterprises.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
E-commerce and Retail
Education
Media and Publishing
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Update TableMaster for Elementor plugin to version 1.3.7 or later immediately
2. Audit user accounts with Author-level access and above; review recent CSV import activities in audit logs
3. Rotate database credentials (wp-config.php) if SSRF exploitation is suspected
4. Review wp-config.php file permissions (should not be web-accessible)
PATCHING GUIDANCE:
1. Backup WordPress installation before updating
2. Update plugin through WordPress admin dashboard or via WP-CLI: wp plugin update tablemaster-for-elementor
3. Test Data Table widget functionality post-update
4. Verify CSV import feature works with legitimate URLs only
COMPENSATING CONTROLS (if immediate patching delayed):
1. Restrict Author-level access to only trusted users; audit current assignments
2. Implement Web Application Firewall (WAF) rules to block requests to 127.0.0.1, localhost, and private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from WordPress
3. Disable Data Table widget CSV import functionality via plugin settings if not actively used
4. Implement network segmentation to isolate WordPress servers from sensitive internal services
5. Monitor outbound connections from WordPress server using host-based IDS
DETECTION RULES:
1. Monitor POST requests to wp-admin/admin-ajax.php with 'csv_url' parameter containing: localhost, 127.0.0.1, private IP ranges, or file:// protocol
2. Alert on wp-config.php access attempts from web server process
3. Monitor for unusual outbound connections from WordPress process to internal network ranges
4. Log all Data Table widget CSV import activities with source IP and URL parameters
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديث مكون TableMaster for Elementor إلى الإصدار 1.3.7 أو أحدث فوراً
2. تدقيق حسابات المستخدمين على مستوى المؤلف وما فوقه؛ مراجعة أنشطة استيراد CSV الأخيرة في سجلات التدقيق
3. تدوير بيانات اعتماد قاعدة البيانات (wp-config.php) إذا كان هناك اشتباه في استغلال SSRF
4. مراجعة أذونات ملف wp-config.php (يجب ألا يكون قابلاً للوصول عبر الويب)
إرشادات التصحيح:
1. عمل نسخة احتياطية من تثبيت WordPress قبل التحديث
2. تحديث المكون من خلال لوحة تحكم WordPress أو عبر WP-CLI: wp plugin update tablemaster-for-elementor
3. اختبار وظيفة أداة جدول البيانات بعد التحديث
4. التحقق من أن ميزة استيراد CSV تعمل فقط مع عناوين URL الشرعية
الضوابط البديلة (إذا تأخر التصحيح الفوري):
1. تقييد وصول مستوى المؤلف للمستخدمين الموثوقين فقط؛ تدقيق التعيينات الحالية
2. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات إلى 127.0.0.1 و localhost ونطاقات IP الخاصة من WordPress
3. تعطيل وظيفة استيراد CSV لأداة جدول البيانات عبر إعدادات المكون إذا لم تكن قيد الاستخدام النشط
4. تنفيذ تقسيم الشبكة لعزل خوادم WordPress عن الخدمات الداخلية الحساسة
5. مراقبة الاتصالات الصادرة من خادم WordPress باستخدام نظام كشف التسلل على مستوى المضيف
قواعد الكشف:
1. مراقبة طلبات POST إلى wp-admin/admin-ajax.php مع معامل 'csv_url' يحتوي على: localhost أو 127.0.0.1 أو نطاقات IP الخاصة أو بروتوكول file://
2. تنبيه محاولات الوصول إلى wp-config.php من عملية خادم الويب
3. مراقبة الاتصالات الصادرة غير العادية من عملية WordPress إلى نطاقات الشبكة الداخلية
4. تسجيل جميع أنشطة استيراد CSV لأداة جدول البيانات مع عنوان IP المصدر ومعاملات URL
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Access Control and Authentication
5.2.1 - User Access Management
5.3.1 - Privileged Access Management
6.1.1 - Security Monitoring and Logging
6.2.1 - Vulnerability Management
7.1.1 - Secure Development Practices
🔵 SAMA CSF
Governance - Risk Management Framework
Protect - Access Control
Protect - Data Protection
Detect - Security Monitoring
Respond - Incident Response
🟡 ISO 27001:2022
A.5.1 - Policies for information security
A.6.1 - Internal organization
A.8.1 - Asset management
A.9.1 - Access control
A.12.6 - Capacity management
A.14.1 - Information security requirements in development
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards
Requirement 6.2 - Security patches
Requirement 6.5.1 - Injection flaws
Requirement 10.2 - Logging and monitoring
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/tags/1.3.6/modules...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/trunk/modules/data...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=344215...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/ef07d6b0-ccdb-4b33-817f-6d4b3...
security@wordfence.com