Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    26 vulnerabilities by WPDataTables

    CVE-2026-54825 (GCVE-0-2026-54825)

    Vulnerability from nvd – Published: 2026-06-26 14:52 – Updated: 2026-06-26 15:51
    VLAI
    Title
    WordPress wpDataTables plugin <= 7.4 - SQL Injection vulnerability
    Summary
    Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    wpDataTables wpDataTables Affected: n/a , ≤ 7.4 (custom)
    Create a notification for this product.
    Credits
    Expatch | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54825",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T15:51:12.626864Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T15:51:26.440Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wpdatatables",
              "product": "wpDataTables",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "7.4.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "7.4",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Expatch | Patchstack Bug Bounty Program"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unauthenticated SQL Injection in wpDataTables \u003c= 7.4 versions."
                }
              ],
              "value": "Unauthenticated SQL Injection in wpDataTables \u003c= 7.4 versions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-7 Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T14:52:20.469Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-7-4-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update the WordPress wpDataTables Plugin to the latest available version (at least 7.4.1)."
                }
              ],
              "value": "Update the WordPress wpDataTables Plugin to the latest available version (at least 7.4.1)."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress wpDataTables plugin \u003c= 7.4 - SQL Injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-54825",
        "datePublished": "2026-06-26T14:52:20.469Z",
        "dateReserved": "2026-06-16T09:21:51.802Z",
        "dateUpdated": "2026-06-26T15:51:26.440Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5721 (GCVE-0-2026-5721)

    Vulnerability from nvd – Published: 2026-04-20 22:25 – Updated: 2026-04-21 19:49
    VLAI
    Title
    wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 6.5.0.4 - Unauthenticated Stored Cross-Site Scripting via CSV/Excel Data Import
    Summary
    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is due to insufficient input sanitization and output escaping in the prepareCellOutput() method of the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, given that they can trick an Administrator into importing data from an attacker-controlled source and the affected column types (Link, Image, or Email) are configured.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Thai Do Nhat
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5721",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-21T17:43:32.267364Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-21T19:49:47.411Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
              "vendor": "wpdatatables",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Thai Do Nhat"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is due to insufficient input sanitization and output escaping in the prepareCellOutput() method of the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, given that they can trick an Administrator into importing data from an attacker-controlled source and the affected column types (Link, Image, or Email) are configured."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-20T22:25:26.695Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8db736fb-cd6c-4a52-9dd3-eefd0a8d9267?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3510613/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-26T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-04-06T20:46:39.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-20T09:28:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin \u003c= 6.5.0.4 - Unauthenticated Stored Cross-Site Scripting via CSV/Excel Data Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5721",
        "datePublished": "2026-04-20T22:25:26.695Z",
        "dateReserved": "2026-04-06T20:31:13.417Z",
        "dateUpdated": "2026-04-21T19:49:47.411Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28039 (GCVE-0-2026-28039)

    Vulnerability from nvd – Published: 2026-03-05 05:54 – Updated: 2026-04-28 17:32
    VLAI
    Title
    WordPress wpDataTables plugin <= 6.5.0.1 - Local File Inclusion vulnerability
    Summary
    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.This issue affects wpDataTables: from n/a through <= 6.5.0.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    wpDataTables wpDataTables Affected: 0 , ≤ 6.5.0.1 (custom)
    Create a notification for this product.
    Date Public
    2026-04-22 14:18
    Credits
    Nguyen Xuan Chien | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28039",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-06T18:14:16.718942Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T17:32:47.465Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wpdatatables",
              "product": "wpDataTables",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6.5.0.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "6.5.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Xuan Chien | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-22T14:18:40.760Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.\u003cp\u003eThis issue affects wpDataTables: from n/a through \u003c= 6.5.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.This issue affects wpDataTables: from n/a through \u003c= 6.5.0.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-252",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "PHP Local File Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-98",
                  "description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:15:05.068Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-6-4-0-5-local-file-inclusion-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress wpDataTables plugin \u003c= 6.5.0.1 - Local File Inclusion vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-28039",
        "datePublished": "2026-03-05T05:54:14.794Z",
        "dateReserved": "2026-02-25T12:13:25.489Z",
        "dateUpdated": "2026-04-28T17:32:47.465Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3821 (GCVE-0-2024-3821)

    Vulnerability from nvd – Published: 2024-06-01 08:38 – Updated: 2026-04-08 17:25
    VLAI
    Title
    wpDataTables - Tables & Table Charts (Premium) <= 6.3.2 - Missing Authorization to DataTable Access & Modification
    Summary
    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the wdt_ajax_actions.php file in all versions up to, and including, 6.3.2. This makes it possible for unauthenticated attackers to manipulate data tables. Please note this only affects the premium version of the plugin.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Villu Orav
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3821",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-03T14:20:47.886424Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:31:07.663Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:20:02.063Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d32215b5-9ecb-4feb-b76f-18821184dd8b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
              "vendor": "wpdatatables",
              "versions": [
                {
                  "lessThanOrEqual": "6.3.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Villu Orav"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the wdt_ajax_actions.php file in all versions up to, and including, 6.3.2. This makes it possible for unauthenticated attackers to manipulate data tables. Please note this only affects the premium version of the plugin."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:25:30.565Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d32215b5-9ecb-4feb-b76f-18821184dd8b?source=cve"
            },
            {
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-10-30T11:18:40.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-05-31T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "wpDataTables - Tables \u0026 Table Charts (Premium) \u003c= 6.3.2 - Missing Authorization to DataTable Access \u0026 Modification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3821",
        "datePublished": "2024-06-01T08:38:55.760Z",
        "dateReserved": "2024-04-15T14:43:52.796Z",
        "dateUpdated": "2026-04-08T17:25:30.565Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3820 (GCVE-0-2024-3820)

    Vulnerability from nvd – Published: 2024-06-01 08:38 – Updated: 2026-04-08 17:34
    VLAI
    Title
    wpDataTables - Tables & Table Charts (Premium) <= 6.3.1 - Unauthenticated SQL Injection
    Summary
    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the 'id_key' parameter of the wdt_delete_table_row AJAX action in all versions up to, and including, 6.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Please note this only affects the premium version of the plugin.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    WPDataTables wpDataTables (Premium) Affected: 0 , ≤ 6.3.1 (semver)
    Create a notification for this product.
    tms-plugins wpdatatables Affected: 0 , ≤ 6.3.1 (semver)
        cpe:2.3:a:tms-plugins:wpdatatables:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Villu Orav
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:tms-plugins:wpdatatables:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "wpdatatables",
                "vendor": "tms-plugins",
                "versions": [
                  {
                    "lessThanOrEqual": "6.3.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3820",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-03T18:45:25.425676Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:31:23.147Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:20:01.772Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbba822b-172f-4167-bccf-4697a298178e?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "wpDataTables (Premium)",
              "vendor": "WPDataTables",
              "versions": [
                {
                  "lessThanOrEqual": "6.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Villu Orav"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the \u0027id_key\u0027 parameter of the wdt_delete_table_row AJAX action in all versions up to, and including, 6.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Please note this only affects the premium version of the plugin."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:34:35.118Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbba822b-172f-4167-bccf-4697a298178e?source=cve"
            },
            {
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-31T20:10:54.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "wpDataTables - Tables \u0026 Table Charts (Premium) \u003c= 6.3.1 - Unauthenticated SQL Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3820",
        "datePublished": "2024-06-01T08:38:58.419Z",
        "dateReserved": "2024-04-15T14:40:48.923Z",
        "dateUpdated": "2026-04-08T17:34:35.118Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4895 (GCVE-0-2024-4895)

    Vulnerability from nvd – Published: 2024-05-23 02:33 – Updated: 2026-04-08 16:35
    VLAI
    Title
    wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 3.4.2.12 - Unauthenticated Stored Cross-Site Scripting via CSV Import
    Summary
    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in all versions up to, and including, 3.4.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Tim Coen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4895",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-23T14:35:56.607961Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:55:17.648Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:10.244Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c944e08-1b70-4b56-80eb-f588c0fab5b6?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3089897/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/wpdatatables/#developers"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
              "vendor": "wpdatatables",
              "versions": [
                {
                  "lessThanOrEqual": "3.4.2.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tim Coen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in all versions up to, and including, 3.4.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:05.928Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c944e08-1b70-4b56-80eb-f588c0fab5b6?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3089897/"
            },
            {
              "url": "https://wordpress.org/plugins/wpdatatables/#developers"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-22T14:10:41.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin \u003c= 3.4.2.12 - Unauthenticated Stored Cross-Site Scripting via CSV Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-4895",
        "datePublished": "2024-05-23T02:33:06.431Z",
        "dateReserved": "2024-05-15T05:43:14.775Z",
        "dateUpdated": "2026-04-08T16:35:05.928Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-0591 (GCVE-0-2024-0591)

    Vulnerability from nvd – Published: 2024-03-13 15:26 – Updated: 2026-04-08 16:55
    VLAI
    Title
    wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 3.4.2.2 - Reflected Cross-Site Scripting.
    Summary
    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'A' parameter in all versions up to, and including, 3.4.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-0591",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-13T17:49:52.303248Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-24T19:20:29.488Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:11:35.194Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a679863-3c22-4d34-9994-1f8ec121ad86?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/samples/Basic/45_Quadratic_equation_solver.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3037741%40wpdatatables\u0026new=3037741%40wpdatatables\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
              "vendor": "wpdatatables",
              "versions": [
                {
                  "lessThanOrEqual": "3.4.2.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027A\u0027 parameter in all versions up to, and including, 3.4.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:55:07.008Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a679863-3c22-4d34-9994-1f8ec121ad86?source=cve"
            },
            {
              "url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/"
            },
            {
              "url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/samples/Basic/45_Quadratic_equation_solver.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3037741%40wpdatatables\u0026new=3037741%40wpdatatables\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-02-20T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin \u003c= 3.4.2.2 - Reflected Cross-Site Scripting."
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-0591",
        "datePublished": "2024-03-13T15:26:50.625Z",
        "dateReserved": "2024-01-16T13:49:20.243Z",
        "dateUpdated": "2026-04-08T16:55:07.008Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-24200 (GCVE-0-2021-24200)

    Vulnerability from nvd – Published: 2021-04-12 13:59 – Updated: 2024-08-03 19:21
    VLAI
    Title
    wpDataTables < 3.4.2 - Blind SQL Injection via length Parameter
    Summary
    The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
    Severity
    No CVSS data available.
    CWE
    Assigner
    Impacted products
    Credits
    Veno Eivazian, Massimiliano Ferraresi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:21:18.669Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wpDataTables \u2013 Tables \u0026 Table Charts",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "lessThan": "3.4.2",
                  "status": "affected",
                  "version": "3.4.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Veno Eivazian, Massimiliano Ferraresi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027length\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-12T13:59:38.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via length Parameter",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24200",
              "STATE": "PUBLIC",
              "TITLE": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via length Parameter"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "3.4.2",
                                "version_value": "3.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "wpDataTables"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Veno Eivazian, Massimiliano Ferraresi"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027length\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpdatatables.com/help/whats-new-changelog/",
                  "refsource": "MISC",
                  "url": "https://wpdatatables.com/help/whats-new-changelog/"
                },
                {
                  "name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
                  "refsource": "MISC",
                  "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
                },
                {
                  "name": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24200",
        "datePublished": "2021-04-12T13:59:38.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:21:18.669Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24199 (GCVE-0-2021-24199)

    Vulnerability from nvd – Published: 2021-04-12 13:59 – Updated: 2024-08-03 19:21
    VLAI
    Title
    wpDataTables < 3.4.2 - Blind SQL Injection via start Parameter
    Summary
    The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
    Severity
    No CVSS data available.
    CWE
    Assigner
    Impacted products
    Credits
    Veno Eivazian, Massimiliano Ferraresi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:21:18.723Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wpDataTables \u2013 Tables \u0026 Table Charts",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "lessThan": "3.4.2",
                  "status": "affected",
                  "version": "3.4.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Veno Eivazian, Massimiliano Ferraresi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027start\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-12T13:59:17.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via start Parameter",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24199",
              "STATE": "PUBLIC",
              "TITLE": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via start Parameter"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "3.4.2",
                                "version_value": "3.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "wpDataTables"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Veno Eivazian, Massimiliano Ferraresi"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027start\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpdatatables.com/help/whats-new-changelog/",
                  "refsource": "MISC",
                  "url": "https://wpdatatables.com/help/whats-new-changelog/"
                },
                {
                  "name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
                  "refsource": "MISC",
                  "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
                },
                {
                  "name": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24199",
        "datePublished": "2021-04-12T13:59:17.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:21:18.723Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24198 (GCVE-0-2021-24198)

    Vulnerability from nvd – Published: 2021-04-12 13:58 – Updated: 2024-08-03 19:21
    VLAI
    Title
    wpDataTables < 3.4.2 - Improper Access Control leading to Table Data Deletion
    Summary
    The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table.
    Severity
    No CVSS data available.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Credits
    Veno Eivazian, Massimiliano Ferraresi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:21:18.665Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wpDataTables \u2013 Tables \u0026 Table Charts",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "lessThan": "3.4.2",
                  "status": "affected",
                  "version": "3.4.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Veno Eivazian, Massimiliano Ferraresi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-12T13:58:49.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Data Deletion",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24198",
              "STATE": "PUBLIC",
              "TITLE": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Data Deletion"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "3.4.2",
                                "version_value": "3.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "wpDataTables"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Veno Eivazian, Massimiliano Ferraresi"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpdatatables.com/help/whats-new-changelog/",
                  "refsource": "MISC",
                  "url": "https://wpdatatables.com/help/whats-new-changelog/"
                },
                {
                  "name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
                  "refsource": "MISC",
                  "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
                },
                {
                  "name": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24198",
        "datePublished": "2021-04-12T13:58:49.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:21:18.665Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24197 (GCVE-0-2021-24197)

    Vulnerability from nvd – Published: 2021-04-12 13:58 – Updated: 2024-08-03 19:21
    VLAI
    Title
    wpDataTables < 3.4.2 - Improper Access Control leading to Table Permission Takeover
    Summary
    The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table.
    Severity
    No CVSS data available.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Credits
    Veno Eivazian, Massimiliano Ferraresi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:21:18.696Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wpDataTables \u2013 Tables \u0026 Table Charts",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "lessThan": "3.4.2",
                  "status": "affected",
                  "version": "3.4.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Veno Eivazian, Massimiliano Ferraresi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-12T13:58:04.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Permission Takeover",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24197",
              "STATE": "PUBLIC",
              "TITLE": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Permission Takeover"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "3.4.2",
                                "version_value": "3.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "wpDataTables"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Veno Eivazian, Massimiliano Ferraresi"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpdatatables.com/help/whats-new-changelog/",
                  "refsource": "MISC",
                  "url": "https://wpdatatables.com/help/whats-new-changelog/"
                },
                {
                  "name": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b"
                },
                {
                  "name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
                  "refsource": "MISC",
                  "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24197",
        "datePublished": "2021-04-12T13:58:04.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:21:18.696Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26754 (GCVE-0-2021-26754)

    Vulnerability from nvd – Published: 2021-02-07 23:31 – Updated: 2024-08-03 20:33
    VLAI
    Summary
    wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:33:40.866Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/wpdatatables/#developers"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-07T23:31:38.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wordpress.org/plugins/wpdatatables/#developers"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-26754",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpdatatables.com/help/whats-new-changelog/",
                  "refsource": "MISC",
                  "url": "https://wpdatatables.com/help/whats-new-changelog/"
                },
                {
                  "name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i/",
                  "refsource": "MISC",
                  "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i/"
                },
                {
                  "name": "https://wordpress.org/plugins/wpdatatables/#developers",
                  "refsource": "MISC",
                  "url": "https://wordpress.org/plugins/wpdatatables/#developers"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-26754",
        "datePublished": "2021-02-07T23:31:38.000Z",
        "dateReserved": "2021-02-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T20:33:40.866Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-9175 (GCVE-0-2014-9175)

    Vulnerability from nvd – Published: 2014-12-02 16:00 – Updated: 2024-08-06 13:33
    VLAI
    Summary
    SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2014-11-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T13:33:13.506Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "71271",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/71271"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://www.homelab.it/index.php/2014/11/23/wordpress-wpdatatables-sql-injection-vulnerability"
              },
              {
                "name": "wp-wpdatatables-sql-injection(98928)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98928"
              },
              {
                "name": "35340",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "http://www.exploit-db.com/exploits/35340"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/129232/WordPress-wpDataTables-1.5.3-SQL-Injection.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-11-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-07T15:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "71271",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/71271"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://www.homelab.it/index.php/2014/11/23/wordpress-wpdatatables-sql-injection-vulnerability"
            },
            {
              "name": "wp-wpdatatables-sql-injection(98928)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98928"
            },
            {
              "name": "35340",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "http://www.exploit-db.com/exploits/35340"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/129232/WordPress-wpDataTables-1.5.3-SQL-Injection.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2014-9175",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "71271",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/71271"
                },
                {
                  "name": "http://www.homelab.it/index.php/2014/11/23/wordpress-wpdatatables-sql-injection-vulnerability",
                  "refsource": "MISC",
                  "url": "http://www.homelab.it/index.php/2014/11/23/wordpress-wpdatatables-sql-injection-vulnerability"
                },
                {
                  "name": "wp-wpdatatables-sql-injection(98928)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98928"
                },
                {
                  "name": "35340",
                  "refsource": "EXPLOIT-DB",
                  "url": "http://www.exploit-db.com/exploits/35340"
                },
                {
                  "name": "http://packetstormsecurity.com/files/129232/WordPress-wpDataTables-1.5.3-SQL-Injection.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/129232/WordPress-wpDataTables-1.5.3-SQL-Injection.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2014-9175",
        "datePublished": "2014-12-02T16:00:00.000Z",
        "dateReserved": "2014-12-02T00:00:00.000Z",
        "dateUpdated": "2024-08-06T13:33:13.506Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-54825 (GCVE-0-2026-54825)

    Vulnerability from cvelistv5 – Published: 2026-06-26 14:52 – Updated: 2026-06-26 15:51
    VLAI
    Title
    WordPress wpDataTables plugin <= 7.4 - SQL Injection vulnerability
    Summary
    Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    wpDataTables wpDataTables Affected: n/a , ≤ 7.4 (custom)
    Create a notification for this product.
    Credits
    Expatch | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-54825",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T15:51:12.626864Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T15:51:26.440Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wpdatatables",
              "product": "wpDataTables",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "7.4.1",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "7.4",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Expatch | Patchstack Bug Bounty Program"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unauthenticated SQL Injection in wpDataTables \u003c= 7.4 versions."
                }
              ],
              "value": "Unauthenticated SQL Injection in wpDataTables \u003c= 7.4 versions."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-7",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-7 Blind SQL Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T14:52:20.469Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-7-4-sql-injection-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update the WordPress wpDataTables Plugin to the latest available version (at least 7.4.1)."
                }
              ],
              "value": "Update the WordPress wpDataTables Plugin to the latest available version (at least 7.4.1)."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress wpDataTables plugin \u003c= 7.4 - SQL Injection vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-54825",
        "datePublished": "2026-06-26T14:52:20.469Z",
        "dateReserved": "2026-06-16T09:21:51.802Z",
        "dateUpdated": "2026-06-26T15:51:26.440Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5721 (GCVE-0-2026-5721)

    Vulnerability from cvelistv5 – Published: 2026-04-20 22:25 – Updated: 2026-04-21 19:49
    VLAI
    Title
    wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 6.5.0.4 - Unauthenticated Stored Cross-Site Scripting via CSV/Excel Data Import
    Summary
    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is due to insufficient input sanitization and output escaping in the prepareCellOutput() method of the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, given that they can trick an Administrator into importing data from an attacker-controlled source and the affected column types (Link, Image, or Email) are configured.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Thai Do Nhat
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5721",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-21T17:43:32.267364Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-21T19:49:47.411Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
              "vendor": "wpdatatables",
              "versions": [
                {
                  "lessThanOrEqual": "6.5.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Thai Do Nhat"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is due to insufficient input sanitization and output escaping in the prepareCellOutput() method of the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, given that they can trick an Administrator into importing data from an attacker-controlled source and the affected column types (Link, Image, or Email) are configured."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-20T22:25:26.695Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8db736fb-cd6c-4a52-9dd3-eefd0a8d9267?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3510613/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-26T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-04-06T20:46:39.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-20T09:28:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin \u003c= 6.5.0.4 - Unauthenticated Stored Cross-Site Scripting via CSV/Excel Data Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5721",
        "datePublished": "2026-04-20T22:25:26.695Z",
        "dateReserved": "2026-04-06T20:31:13.417Z",
        "dateUpdated": "2026-04-21T19:49:47.411Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28039 (GCVE-0-2026-28039)

    Vulnerability from cvelistv5 – Published: 2026-03-05 05:54 – Updated: 2026-04-28 17:32
    VLAI
    Title
    WordPress wpDataTables plugin <= 6.5.0.1 - Local File Inclusion vulnerability
    Summary
    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.This issue affects wpDataTables: from n/a through <= 6.5.0.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
    Assigner
    References
    Impacted products
    Vendor Product Version
    wpDataTables wpDataTables Affected: 0 , ≤ 6.5.0.1 (custom)
    Create a notification for this product.
    Date Public
    2026-04-22 14:18
    Credits
    Nguyen Xuan Chien | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28039",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-06T18:14:16.718942Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T17:32:47.465Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "wpdatatables",
              "product": "wpDataTables",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "6.5.0.2",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "6.5.0.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Nguyen Xuan Chien | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-22T14:18:40.760Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.\u003cp\u003eThis issue affects wpDataTables: from n/a through \u003c= 6.5.0.1.\u003c/p\u003e"
                }
              ],
              "value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.This issue affects wpDataTables: from n/a through \u003c= 6.5.0.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-252",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "PHP Local File Inclusion"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-98",
                  "description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:15:05.068Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-6-4-0-5-local-file-inclusion-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress wpDataTables plugin \u003c= 6.5.0.1 - Local File Inclusion vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-28039",
        "datePublished": "2026-03-05T05:54:14.794Z",
        "dateReserved": "2026-02-25T12:13:25.489Z",
        "dateUpdated": "2026-04-28T17:32:47.465Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3820 (GCVE-0-2024-3820)

    Vulnerability from cvelistv5 – Published: 2024-06-01 08:38 – Updated: 2026-04-08 17:34
    VLAI
    Title
    wpDataTables - Tables & Table Charts (Premium) <= 6.3.1 - Unauthenticated SQL Injection
    Summary
    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the 'id_key' parameter of the wdt_delete_table_row AJAX action in all versions up to, and including, 6.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Please note this only affects the premium version of the plugin.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    WPDataTables wpDataTables (Premium) Affected: 0 , ≤ 6.3.1 (semver)
    Create a notification for this product.
    tms-plugins wpdatatables Affected: 0 , ≤ 6.3.1 (semver)
        cpe:2.3:a:tms-plugins:wpdatatables:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Villu Orav
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:tms-plugins:wpdatatables:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "wpdatatables",
                "vendor": "tms-plugins",
                "versions": [
                  {
                    "lessThanOrEqual": "6.3.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3820",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-03T18:45:25.425676Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:31:23.147Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:20:01.772Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbba822b-172f-4167-bccf-4697a298178e?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "wpDataTables (Premium)",
              "vendor": "WPDataTables",
              "versions": [
                {
                  "lessThanOrEqual": "6.3.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Villu Orav"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the \u0027id_key\u0027 parameter of the wdt_delete_table_row AJAX action in all versions up to, and including, 6.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Please note this only affects the premium version of the plugin."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:34:35.118Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbba822b-172f-4167-bccf-4697a298178e?source=cve"
            },
            {
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-31T20:10:54.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "wpDataTables - Tables \u0026 Table Charts (Premium) \u003c= 6.3.1 - Unauthenticated SQL Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3820",
        "datePublished": "2024-06-01T08:38:58.419Z",
        "dateReserved": "2024-04-15T14:40:48.923Z",
        "dateUpdated": "2026-04-08T17:34:35.118Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3821 (GCVE-0-2024-3821)

    Vulnerability from cvelistv5 – Published: 2024-06-01 08:38 – Updated: 2026-04-08 17:25
    VLAI
    Title
    wpDataTables - Tables & Table Charts (Premium) <= 6.3.2 - Missing Authorization to DataTable Access & Modification
    Summary
    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the wdt_ajax_actions.php file in all versions up to, and including, 6.3.2. This makes it possible for unauthenticated attackers to manipulate data tables. Please note this only affects the premium version of the plugin.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Villu Orav
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3821",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-06-03T14:20:47.886424Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:31:07.663Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:20:02.063Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d32215b5-9ecb-4feb-b76f-18821184dd8b?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
              "vendor": "wpdatatables",
              "versions": [
                {
                  "lessThanOrEqual": "6.3.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Villu Orav"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the wdt_ajax_actions.php file in all versions up to, and including, 6.3.2. This makes it possible for unauthenticated attackers to manipulate data tables. Please note this only affects the premium version of the plugin."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:25:30.565Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d32215b5-9ecb-4feb-b76f-18821184dd8b?source=cve"
            },
            {
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-10-30T11:18:40.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-05-31T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "wpDataTables - Tables \u0026 Table Charts (Premium) \u003c= 6.3.2 - Missing Authorization to DataTable Access \u0026 Modification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3821",
        "datePublished": "2024-06-01T08:38:55.760Z",
        "dateReserved": "2024-04-15T14:43:52.796Z",
        "dateUpdated": "2026-04-08T17:25:30.565Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-4895 (GCVE-0-2024-4895)

    Vulnerability from cvelistv5 – Published: 2024-05-23 02:33 – Updated: 2026-04-08 16:35
    VLAI
    Title
    wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 3.4.2.12 - Unauthenticated Stored Cross-Site Scripting via CSV Import
    Summary
    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in all versions up to, and including, 3.4.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Tim Coen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-4895",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-23T14:35:56.607961Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:55:17.648Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:55:10.244Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c944e08-1b70-4b56-80eb-f588c0fab5b6?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset/3089897/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/wpdatatables/#developers"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
              "vendor": "wpdatatables",
              "versions": [
                {
                  "lessThanOrEqual": "3.4.2.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tim Coen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in all versions up to, and including, 3.4.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:05.928Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c944e08-1b70-4b56-80eb-f588c0fab5b6?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3089897/"
            },
            {
              "url": "https://wordpress.org/plugins/wpdatatables/#developers"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-05-22T14:10:41.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin \u003c= 3.4.2.12 - Unauthenticated Stored Cross-Site Scripting via CSV Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-4895",
        "datePublished": "2024-05-23T02:33:06.431Z",
        "dateReserved": "2024-05-15T05:43:14.775Z",
        "dateUpdated": "2026-04-08T16:35:05.928Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-0591 (GCVE-0-2024-0591)

    Vulnerability from cvelistv5 – Published: 2024-03-13 15:26 – Updated: 2026-04-08 16:55
    VLAI
    Title
    wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 3.4.2.2 - Reflected Cross-Site Scripting.
    Summary
    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'A' parameter in all versions up to, and including, 3.4.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-0591",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-03-13T17:49:52.303248Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-24T19:20:29.488Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T18:11:35.194Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a679863-3c22-4d34-9994-1f8ec121ad86?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/samples/Basic/45_Quadratic_equation_solver.php"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3037741%40wpdatatables\u0026new=3037741%40wpdatatables\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
              "vendor": "wpdatatables",
              "versions": [
                {
                  "lessThanOrEqual": "3.4.2.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027A\u0027 parameter in all versions up to, and including, 3.4.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:55:07.008Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a679863-3c22-4d34-9994-1f8ec121ad86?source=cve"
            },
            {
              "url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/"
            },
            {
              "url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/samples/Basic/45_Quadratic_equation_solver.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3037741%40wpdatatables\u0026new=3037741%40wpdatatables\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-02-20T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin \u003c= 3.4.2.2 - Reflected Cross-Site Scripting."
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-0591",
        "datePublished": "2024-03-13T15:26:50.625Z",
        "dateReserved": "2024-01-16T13:49:20.243Z",
        "dateUpdated": "2026-04-08T16:55:07.008Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2021-24200 (GCVE-0-2021-24200)

    Vulnerability from cvelistv5 – Published: 2021-04-12 13:59 – Updated: 2024-08-03 19:21
    VLAI
    Title
    wpDataTables < 3.4.2 - Blind SQL Injection via length Parameter
    Summary
    The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
    Severity
    No CVSS data available.
    CWE
    Assigner
    Impacted products
    Credits
    Veno Eivazian, Massimiliano Ferraresi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:21:18.669Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wpDataTables \u2013 Tables \u0026 Table Charts",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "lessThan": "3.4.2",
                  "status": "affected",
                  "version": "3.4.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Veno Eivazian, Massimiliano Ferraresi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027length\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-12T13:59:38.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via length Parameter",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24200",
              "STATE": "PUBLIC",
              "TITLE": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via length Parameter"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "3.4.2",
                                "version_value": "3.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "wpDataTables"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Veno Eivazian, Massimiliano Ferraresi"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027length\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpdatatables.com/help/whats-new-changelog/",
                  "refsource": "MISC",
                  "url": "https://wpdatatables.com/help/whats-new-changelog/"
                },
                {
                  "name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
                  "refsource": "MISC",
                  "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
                },
                {
                  "name": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24200",
        "datePublished": "2021-04-12T13:59:38.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:21:18.669Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24199 (GCVE-0-2021-24199)

    Vulnerability from cvelistv5 – Published: 2021-04-12 13:59 – Updated: 2024-08-03 19:21
    VLAI
    Title
    wpDataTables < 3.4.2 - Blind SQL Injection via start Parameter
    Summary
    The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
    Severity
    No CVSS data available.
    CWE
    Assigner
    Impacted products
    Credits
    Veno Eivazian, Massimiliano Ferraresi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:21:18.723Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wpDataTables \u2013 Tables \u0026 Table Charts",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "lessThan": "3.4.2",
                  "status": "affected",
                  "version": "3.4.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Veno Eivazian, Massimiliano Ferraresi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027start\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-12T13:59:17.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via start Parameter",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24199",
              "STATE": "PUBLIC",
              "TITLE": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via start Parameter"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "3.4.2",
                                "version_value": "3.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "wpDataTables"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Veno Eivazian, Massimiliano Ferraresi"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027start\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpdatatables.com/help/whats-new-changelog/",
                  "refsource": "MISC",
                  "url": "https://wpdatatables.com/help/whats-new-changelog/"
                },
                {
                  "name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
                  "refsource": "MISC",
                  "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
                },
                {
                  "name": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24199",
        "datePublished": "2021-04-12T13:59:17.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:21:18.723Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24198 (GCVE-0-2021-24198)

    Vulnerability from cvelistv5 – Published: 2021-04-12 13:58 – Updated: 2024-08-03 19:21
    VLAI
    Title
    wpDataTables < 3.4.2 - Improper Access Control leading to Table Data Deletion
    Summary
    The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table.
    Severity
    No CVSS data available.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Credits
    Veno Eivazian, Massimiliano Ferraresi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:21:18.665Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wpDataTables \u2013 Tables \u0026 Table Charts",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "lessThan": "3.4.2",
                  "status": "affected",
                  "version": "3.4.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Veno Eivazian, Massimiliano Ferraresi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-12T13:58:49.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Data Deletion",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24198",
              "STATE": "PUBLIC",
              "TITLE": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Data Deletion"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "3.4.2",
                                "version_value": "3.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "wpDataTables"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Veno Eivazian, Massimiliano Ferraresi"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpdatatables.com/help/whats-new-changelog/",
                  "refsource": "MISC",
                  "url": "https://wpdatatables.com/help/whats-new-changelog/"
                },
                {
                  "name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
                  "refsource": "MISC",
                  "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
                },
                {
                  "name": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24198",
        "datePublished": "2021-04-12T13:58:49.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:21:18.665Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24197 (GCVE-0-2021-24197)

    Vulnerability from cvelistv5 – Published: 2021-04-12 13:58 – Updated: 2024-08-03 19:21
    VLAI
    Title
    wpDataTables < 3.4.2 - Improper Access Control leading to Table Permission Takeover
    Summary
    The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table.
    Severity
    No CVSS data available.
    CWE
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Credits
    Veno Eivazian, Massimiliano Ferraresi
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:21:18.696Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "wpDataTables \u2013 Tables \u0026 Table Charts",
              "vendor": "wpDataTables",
              "versions": [
                {
                  "lessThan": "3.4.2",
                  "status": "affected",
                  "version": "3.4.2",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Veno Eivazian, Massimiliano Ferraresi"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "CWE-284 Improper Access Control",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-04-12T13:58:04.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Permission Takeover",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24197",
              "STATE": "PUBLIC",
              "TITLE": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Permission Takeover"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "3.4.2",
                                "version_value": "3.4.2"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "wpDataTables"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Veno Eivazian, Massimiliano Ferraresi"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table."
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-284 Improper Access Control"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpdatatables.com/help/whats-new-changelog/",
                  "refsource": "MISC",
                  "url": "https://wpdatatables.com/help/whats-new-changelog/"
                },
                {
                  "name": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b",
                  "refsource": "CONFIRM",
                  "url": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b"
                },
                {
                  "name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
                  "refsource": "MISC",
                  "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
                }
              ]
            },
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24197",
        "datePublished": "2021-04-12T13:58:04.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:21:18.696Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-26754 (GCVE-0-2021-26754)

    Vulnerability from cvelistv5 – Published: 2021-02-07 23:31 – Updated: 2024-08-03 20:33
    VLAI
    Summary
    wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T20:33:40.866Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpdatatables.com/help/whats-new-changelog/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wordpress.org/plugins/wpdatatables/#developers"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-02-07T23:31:38.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpdatatables.com/help/whats-new-changelog/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wordpress.org/plugins/wpdatatables/#developers"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2021-26754",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpdatatables.com/help/whats-new-changelog/",
                  "refsource": "MISC",
                  "url": "https://wpdatatables.com/help/whats-new-changelog/"
                },
                {
                  "name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i/",
                  "refsource": "MISC",
                  "url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i/"
                },
                {
                  "name": "https://wordpress.org/plugins/wpdatatables/#developers",
                  "refsource": "MISC",
                  "url": "https://wordpress.org/plugins/wpdatatables/#developers"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2021-26754",
        "datePublished": "2021-02-07T23:31:38.000Z",
        "dateReserved": "2021-02-05T00:00:00.000Z",
        "dateUpdated": "2024-08-03T20:33:40.866Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2014-9175 (GCVE-0-2014-9175)

    Vulnerability from cvelistv5 – Published: 2014-12-02 16:00 – Updated: 2024-08-06 13:33
    VLAI
    Summary
    SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Date Public
    2014-11-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-06T13:33:13.506Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "71271",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/71271"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://www.homelab.it/index.php/2014/11/23/wordpress-wpdatatables-sql-injection-vulnerability"
              },
              {
                "name": "wp-wpdatatables-sql-injection(98928)",
                "tags": [
                  "vdb-entry",
                  "x_refsource_XF",
                  "x_transferred"
                ],
                "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98928"
              },
              {
                "name": "35340",
                "tags": [
                  "exploit",
                  "x_refsource_EXPLOIT-DB",
                  "x_transferred"
                ],
                "url": "http://www.exploit-db.com/exploits/35340"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/129232/WordPress-wpDataTables-1.5.3-SQL-Injection.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2014-11-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2017-09-07T15:57:01.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "name": "71271",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/71271"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://www.homelab.it/index.php/2014/11/23/wordpress-wpdatatables-sql-injection-vulnerability"
            },
            {
              "name": "wp-wpdatatables-sql-injection(98928)",
              "tags": [
                "vdb-entry",
                "x_refsource_XF"
              ],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98928"
            },
            {
              "name": "35340",
              "tags": [
                "exploit",
                "x_refsource_EXPLOIT-DB"
              ],
              "url": "http://www.exploit-db.com/exploits/35340"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://packetstormsecurity.com/files/129232/WordPress-wpDataTables-1.5.3-SQL-Injection.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2014-9175",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "71271",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/71271"
                },
                {
                  "name": "http://www.homelab.it/index.php/2014/11/23/wordpress-wpdatatables-sql-injection-vulnerability",
                  "refsource": "MISC",
                  "url": "http://www.homelab.it/index.php/2014/11/23/wordpress-wpdatatables-sql-injection-vulnerability"
                },
                {
                  "name": "wp-wpdatatables-sql-injection(98928)",
                  "refsource": "XF",
                  "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/98928"
                },
                {
                  "name": "35340",
                  "refsource": "EXPLOIT-DB",
                  "url": "http://www.exploit-db.com/exploits/35340"
                },
                {
                  "name": "http://packetstormsecurity.com/files/129232/WordPress-wpDataTables-1.5.3-SQL-Injection.html",
                  "refsource": "MISC",
                  "url": "http://packetstormsecurity.com/files/129232/WordPress-wpDataTables-1.5.3-SQL-Injection.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2014-9175",
        "datePublished": "2014-12-02T16:00:00.000Z",
        "dateReserved": "2014-12-02T00:00:00.000Z",
        "dateUpdated": "2024-08-06T13:33:13.506Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }