Title: Security vulnerability
Last modified: October 25, 2022

---

# Security vulnerability

 *  Resolved [wordmatej](https://wordpress.org/support/users/wordmatej/)
 * (@wordmatej)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/)
 * Hi,
    from Wordfence I received info: The Plugin “TablePress” has a security vulnerability.
 * Can you pls check and let me know?
 * Regards.
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fsecurity-vulnerability-46%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 9 replies - 1 through 9 (of 9 total)

 *  [aleksandra0agrecalc](https://wordpress.org/support/users/aleksandra0agrecalc/)
 * (@aleksandra0agrecalc)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/#post-16131013)
 * I have the same issue as of this morning. Can anybody help?
 *  Plugin Author [Tobias Bäthge](https://wordpress.org/support/users/tobiasbg/)
 * (@tobiasbg)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/#post-16131195)
 * Hi [@wordmatej](https://wordpress.org/support/users/wordmatej/) and [@aleksandra0agrecalc](https://wordpress.org/support/users/aleksandra0agrecalc/),
 * thanks for your post, and sorry for the trouble.
 * I regard this report as invalid. Please see [https://wordpress.org/support/topic/wordfence-alerts-critical-for-vulenrability/?view=all#post-16068890](https://wordpress.org/support/topic/wordfence-alerts-critical-for-vulenrability/?view=all#post-16068890)
   and my other replies in that thread for the current status.
 * I’m currently working together with Wordfence to remove the underlying false 
   entry from the global database that all this is based on.
 * Best wishes,
    Tobias
 *  Thread Starter [wordmatej](https://wordpress.org/support/users/wordmatej/)
 * (@wordmatej)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/#post-16131225)
 * Ok, thanks.
    Best regards
 *  [aleksandra0agrecalc](https://wordpress.org/support/users/aleksandra0agrecalc/)
 * (@aleksandra0agrecalc)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/#post-16131233)
 * Hi [@tobiasbg](https://wordpress.org/support/users/tobiasbg/),
    Thank you so 
   much for your quick response, much appreciated. Hopefully the issue gets resolved
   soon. The plugin has been great with the tables, so kudos for creating it. It’s
   also very easy to add the custom CSS to it. Cheers again, and all the best, Aleksandra
 *  Plugin Author [Tobias Bäthge](https://wordpress.org/support/users/tobiasbg/)
 * (@tobiasbg)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/#post-16131261)
 * Hi,
 * no problem, you are very welcome! 🙂 Good to hear that this helped!
 * Thanks for the kind words, I really appreciate it! Good to hear that you like
   TablePress so much!
 * Best wishes,
    Tobias   P.S.: In case you haven’t, please rate TablePress [here](https://wordpress.org/support/plugin/tablepress/reviews/#new-post)
   in the plugin directory. Thanks!
 *  Thread Starter [wordmatej](https://wordpress.org/support/users/wordmatej/)
 * (@wordmatej)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/#post-16131274)
 * Thanks a lot again and for quick reply.
    Best regards
 *  Plugin Author [Tobias Bäthge](https://wordpress.org/support/users/tobiasbg/)
 * (@tobiasbg)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/#post-16131862)
 * Hi,
 * no problem! Always happy to help!
 * Best wishes,
    Tobias
 *  [justauser034675](https://wordpress.org/support/users/woocomuser/)
 * (@woocomuser)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/#post-16141344)
 * Hi Tobias,
 * I don’t understand why you just don’t disable exports or replace the format. 
   Leaving it in is continuing to perpetuate the issue and it will lead to insecurities
   if users start ignoring Wordfence vulnerability critical warninngs.
 * Thsnks
 *  Plugin Author [Tobias Bäthge](https://wordpress.org/support/users/tobiasbg/)
 * (@tobiasbg)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/#post-16141885)
 * Hi [@woocomuser](https://wordpress.org/support/users/woocomuser/),
 * disabling exports is not an option, I’m afraid. It’s a very much needed and useful
   feature for users to create backups of their tables via exporting, or for data
   migration of tables from one site to another.
 * The same for formulas in general: TablePress is a table and spreadsheet plugin
   and many users use math formulas for calculations. Thus, it’s vital that these
   are exported as well. Note that TablePress itself only supports safe formulas.
   
   Unfortunately, just removing/stripping potentially malicious formulas is not 
   really possible, as there’s such a wide variety and so many way to obfuscate 
   them. Otherwise, I would of course already have done that.
 * In addition, I’m of the strong opinion that TablePress is not to blame here:
   
   First, a site would already have to be compromised for an attacker to do something
   malicious. Then, the victim would have to have re-enabled a dangerous Excel feature
   in the Excel program options (one where Microsoft explicitly says “not recommended”).
   And on top of that, that user would have to ignore at least to very clear security
   warnings.
 * I was in fact already able to convince Wordfence of this, but their notifications
   rely on the global CVE security database. I’ve already contacted the responsible
   organization, MITRE, regarding removing that entry, but unfortunately haven’t
   heard back from them. So, until they remove the entry, we’ll have to live with
   that warning it looks like. Please believe me that I’m the last person that wants
   this. As you can imagine all this has put a severe level of work on me in the
   last weeks.
 * Regards,
    Tobias

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Security vulnerability’ is closed to new replies.

 * ![](https://ps.w.org/tablepress/assets/icon.svg?rev=3192944)
 * [TablePress - Tables in WordPress made easy](https://wordpress.org/plugins/tablepress/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/tablepress/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/tablepress/)
 * [Active Topics](https://wordpress.org/support/plugin/tablepress/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/tablepress/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/tablepress/reviews/)

 * 12 replies
 * 4 participants
 * Last reply from: [Tobias Bäthge](https://wordpress.org/support/users/tobiasbg/)
 * Last activity: [3 years, 7 months ago](https://wordpress.org/support/topic/security-vulnerability-46/#post-16141885)
 * Status: resolved