Attack Vectors

CVE-2025-39534 is a Medium-severity Stored Cross-Site Scripting (XSS) issue (CVSS 6.4, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) affecting Ninja Tables Pro (slug: ninja-tables-pro) versions <= 5.0.17. It can be exploited by an authenticated WordPress user with Contributor-level access or higher.

In practical terms, if your organization allows contributors (including external writers, agencies, or multiple internal teams) to create or edit content, a compromised contributor account—or a malicious insider—could inject script into content that will run when other users view the affected page.

Reference: CVE record and Wordfence advisory.

Security Weakness

The vulnerability is caused by insufficient input sanitization and output escaping in Ninja Tables Pro up to version 5.0.17. This allows untrusted content to be stored and later rendered in a way that can execute as code in a visitor’s browser.

Because this is stored XSS, the malicious content can persist on your site until discovered and removed, increasing the likelihood that staff, customers, or partners will be exposed when viewing the affected pages.

Remediation: Update Ninja Tables Pro to version 5.0.18 (or a newer patched version).

Technical or Business Impacts

For business leaders, the primary risk is not “a pop-up”—it’s what malicious scripts can do in the context of your brand and user sessions. Potential impacts include:

Brand and campaign risk: Attackers may alter page content, inject unwanted ads, redirect traffic, or deface high-visibility marketing pages—hurting conversion rates and credibility.

Account and data exposure: Scripts can attempt to steal session information or capture what users type into forms, increasing the risk of unauthorized access, lead data leakage, or downstream fraud (within the limits of what a browser-based script can reach).

Compliance and customer trust: If injected content impacts pages collecting personal data (e.g., lead-gen forms), the event may trigger internal incident response, legal/compliance reviews, and customer communications—creating unplanned cost and reputational damage.

Operational disruption: Cleanup typically includes emergency patching, content review, credential resets, and forensic validation—diverting marketing and web teams from planned work.

Similar Attacks

Stored XSS has been used to spread quickly across user profiles and pages in real-world incidents. A well-known example is the MySpace “Samy” worm, which propagated via stored XSS and demonstrated how quickly this class of issue can escalate once malicious code is saved and repeatedly viewed: https://en.wikipedia.org/wiki/Samy_(computer_worm).