Droogs

https://www.w3.org/WAI/tutorials/images/decorative/

When we ADA tag everything there are decorative images that don’t need a tag because they are purely for show and don’t need explanation. By tagging them as decorative the accessibility readers skip them for the ADA user.

Thanks for reaching out! We are not incorrectly flagging the vulnerability, the CVE is explicitly assigned to TablePress, CVE-2019–20180, and does not apply to all text editors/spreadsheet software in general. Here is the original public disclosure link from back in 2019: https://medium.com/@Pablo0xSantiago/cve-2019-20180-tablepress-version-1-9-2-csv-injection-65309fcc8be8.
?
I have tried to work with Tobias from TablePress to explain the inherent risks of leaving such a vulnerability in his plugin, however, he disagrees on responsibility pointing the blame of CSV software rather than providing a patch in his plugin. At this point we have not been able to come to terms with the developer. Since this vulnerability has a CVE, and we deem it as a security risk based on industry standards, we will not be removing the vulnerability from our vulnerability database which returns scan results. The plugin will show-up as unpatched until the developer has patched the vulnerability.

Just to share more details, TablePress has a CSV Injection vulnerability, which is a vulnerability that occurs when a software allows formulas to be injected into CSV files created by the software. Please see CWE https://cwe.mitre.org/data/definitions/1236.html When exporting tables from TablePress there is no neutralization of any formulas that have been added to a table which is what creates the CSV Injection vulnerability. This means a user with access to TablePress, such as an Editor, can inject CSV formulas into a table and if another victim, such as a site’s administrator, exports the table and opens it in a CSV software such as Excel or Google Sheets then that formula will run. These formulas can be used to achieve code execution on the victim machine or exfiltrate information from the CSV software.

Please be aware that it is a very minimal security risk as there are many steps to exploitation and it is unlikely to be seen exploited in the wild. However, that doesn’t eliminate the fact that it is a security risk and the developer can do something about it.

Thanks and have a great day!

Chloe Chamberland
Wordfence Threat Intelligence Lead____________________
M.S. Cybersecurity and Information Assurance
OSCP | OSWP | OSWE | eWPT | C|EH | E|CSA | CHFI | Security+ | CySA+ | PenTest+ | CASP+ | SSCP | CISSP | AWS CCP | AWS SAA | AWS Security Specialty
Defiant Inc[defiant.com]. The people behind…
Wordfence – Security for WordPress Websites

We have been in contact with the plugin author that the vulnerability we have found is valid and correct so we will continue to mark it as such in scans until they patch the vulnerabiltiy.

Kind regards,

Phil
Customer Support Engineer

Wordfence – Security for WordPress Websites

You are the best!!!!!!!!!!

The ARIA errors on this page appear legitimate. The tables have aria-describedby=”tablepress-30-description” attributes, but there are no elements in the page with id=”tablepress-30-description”. This creates a broken relationship and a description that is not present for the tables, thus the WAVE errors.

done thanks

certifiedfed.com

If I need to change permissions, where and to what?

I have unchecked the Scan files outside your WordPress installation and still no luck.

The plugin has an enable/disable feature depending on the login status of the user. I noticed if I was logged in, the recaptcha would work, but if I were logged out it would not appear. So I think this feature of the plugin is causing conflicts when Gravity Forms is trying to show a recatpcha.

How is the update coming?

https://tablepress.org/demo/

If you go tot he demo site you have. We are trying to center the contents under the header. In the first table you have, the numbers in the cells under the header are left justified. We are trying to center them. Please help.

Do you have a private email address I can send the link too?