Refine your search
10 vulnerabilities found for by WPDataTables
CVE-2026-5721 (GCVE-0-2026-5721)
Vulnerability from cvelistv5
Published
2026-04-20 22:25
Modified
2026-04-20 22:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is due to insufficient input sanitization and output escaping in the prepareCellOutput() method of the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, given that they can trick an Administrator into importing data from an attacker-controlled source and the affected column types (Link, Image, or Email) are configured.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdatatables | wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin |
Version: 0 ≤ 6.5.0.4 |
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
"vendor": "wpdatatables",
"versions": [
{
"lessThanOrEqual": "6.5.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thai Do Nhat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is due to insufficient input sanitization and output escaping in the prepareCellOutput() method of the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, given that they can trick an Administrator into importing data from an attacker-controlled source and the affected column types (Link, Image, or Email) are configured."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T22:25:26.695Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8db736fb-cd6c-4a52-9dd3-eefd0a8d9267?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3510613/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-26T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-04-06T20:46:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-20T09:28:15.000Z",
"value": "Disclosed"
}
],
"title": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin \u003c= 6.5.0.4 - Unauthenticated Stored Cross-Site Scripting via CSV/Excel Data Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5721",
"datePublished": "2026-04-20T22:25:26.695Z",
"dateReserved": "2026-04-06T20:31:13.417Z",
"dateUpdated": "2026-04-20T22:25:26.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28039 (GCVE-0-2026-28039)
Vulnerability from cvelistv5
Published
2026-03-05 05:54
Modified
2026-04-01 14:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.This issue affects wpDataTables: from n/a through <= 6.5.0.1.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpDataTables | wpDataTables |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-28039",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T18:14:16.718942Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T18:14:21.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "wpdatatables",
"product": "wpDataTables",
"vendor": "wpDataTables",
"versions": [
{
"changes": [
{
"at": "6.5.0.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "6.5.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Xuan Chien | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:05:39.082Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.\u003cp\u003eThis issue affects wpDataTables: from n/a through \u003c= 6.5.0.1.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.This issue affects wpDataTables: from n/a through \u003c= 6.5.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:15:30.385Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-6-4-0-5-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress wpDataTables plugin \u003c= 6.5.0.1 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-28039",
"datePublished": "2026-03-05T05:54:14.794Z",
"dateReserved": "2026-02-25T12:13:25.489Z",
"dateUpdated": "2026-04-01T14:15:30.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3820 (GCVE-0-2024-3820)
Vulnerability from cvelistv5
Published
2024-06-01 08:38
Modified
2026-04-08 17:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the 'id_key' parameter of the wdt_delete_table_row AJAX action in all versions up to, and including, 6.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Please note this only affects the premium version of the plugin.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| WPDataTables | wpDataTables (Premium) |
Version: 0 ≤ 6.3.1 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:tms-plugins:wpdatatables:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "wpdatatables",
"vendor": "tms-plugins",
"versions": [
{
"lessThanOrEqual": "6.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3820",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T18:45:25.425676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:31:23.147Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:01.772Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbba822b-172f-4167-bccf-4697a298178e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wpdatatables.com/help/whats-new-changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "wpDataTables (Premium)",
"vendor": "WPDataTables",
"versions": [
{
"lessThanOrEqual": "6.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Villu Orav"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the \u0027id_key\u0027 parameter of the wdt_delete_table_row AJAX action in all versions up to, and including, 6.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Please note this only affects the premium version of the plugin."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:35.118Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbba822b-172f-4167-bccf-4697a298178e?source=cve"
},
{
"url": "https://wpdatatables.com/help/whats-new-changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-31T20:10:54.000Z",
"value": "Disclosed"
}
],
"title": "wpDataTables - Tables \u0026 Table Charts (Premium) \u003c= 6.3.1 - Unauthenticated SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3820",
"datePublished": "2024-06-01T08:38:58.419Z",
"dateReserved": "2024-04-15T14:40:48.923Z",
"dateUpdated": "2026-04-08T17:34:35.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3821 (GCVE-0-2024-3821)
Vulnerability from cvelistv5
Published
2024-06-01 08:38
Modified
2026-04-08 17:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the wdt_ajax_actions.php file in all versions up to, and including, 6.3.2. This makes it possible for unauthenticated attackers to manipulate data tables. Please note this only affects the premium version of the plugin.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdatatables | wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin |
Version: 0 ≤ 6.3.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3821",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T14:20:47.886424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:31:07.663Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:20:02.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d32215b5-9ecb-4feb-b76f-18821184dd8b?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wpdatatables.com/help/whats-new-changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
"vendor": "wpdatatables",
"versions": [
{
"lessThanOrEqual": "6.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Villu Orav"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the wdt_ajax_actions.php file in all versions up to, and including, 6.3.2. This makes it possible for unauthenticated attackers to manipulate data tables. Please note this only affects the premium version of the plugin."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:25:30.565Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d32215b5-9ecb-4feb-b76f-18821184dd8b?source=cve"
},
{
"url": "https://wpdatatables.com/help/whats-new-changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-30T11:18:40.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-05-31T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "wpDataTables - Tables \u0026 Table Charts (Premium) \u003c= 6.3.2 - Missing Authorization to DataTable Access \u0026 Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3821",
"datePublished": "2024-06-01T08:38:55.760Z",
"dateReserved": "2024-04-15T14:43:52.796Z",
"dateUpdated": "2026-04-08T17:25:30.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4895 (GCVE-0-2024-4895)
Vulnerability from cvelistv5
Published
2024-05-23 02:33
Modified
2026-04-08 16:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in all versions up to, and including, 3.4.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdatatables | wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin |
Version: 0 ≤ 3.4.2.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T14:35:56.607961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:55:17.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.244Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c944e08-1b70-4b56-80eb-f588c0fab5b6?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3089897/"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/wpdatatables/#developers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
"vendor": "wpdatatables",
"versions": [
{
"lessThanOrEqual": "3.4.2.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tim Coen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in all versions up to, and including, 3.4.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:35:05.928Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c944e08-1b70-4b56-80eb-f588c0fab5b6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3089897/"
},
{
"url": "https://wordpress.org/plugins/wpdatatables/#developers"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-22T14:10:41.000Z",
"value": "Disclosed"
}
],
"title": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin \u003c= 3.4.2.12 - Unauthenticated Stored Cross-Site Scripting via CSV Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4895",
"datePublished": "2024-05-23T02:33:06.431Z",
"dateReserved": "2024-05-15T05:43:14.775Z",
"dateUpdated": "2026-04-08T16:35:05.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-0591 (GCVE-0-2024-0591)
Vulnerability from cvelistv5
Published
2024-03-13 15:26
Modified
2026-04-08 16:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'A' parameter in all versions up to, and including, 3.4.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdatatables | wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin |
Version: 0 ≤ 3.4.2.4 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0591",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-13T17:49:52.303248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-24T19:20:29.488Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:11:35.194Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a679863-3c22-4d34-9994-1f8ec121ad86?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/samples/Basic/45_Quadratic_equation_solver.php"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3037741%40wpdatatables\u0026new=3037741%40wpdatatables\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin",
"vendor": "wpdatatables",
"versions": [
{
"lessThanOrEqual": "3.4.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Matthew Rollings"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027A\u0027 parameter in all versions up to, and including, 3.4.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:55:07.008Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a679863-3c22-4d34-9994-1f8ec121ad86?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/"
},
{
"url": "https://plugins.svn.wordpress.org/wpdatatables/trunk/lib/phpoffice/phpspreadsheet/samples/Basic/45_Quadratic_equation_solver.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3037741%40wpdatatables\u0026new=3037741%40wpdatatables\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-02-20T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "wpDataTables \u2013 WordPress Data Table, Dynamic Tables \u0026 Table Charts Plugin \u003c= 3.4.2.2 - Reflected Cross-Site Scripting."
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0591",
"datePublished": "2024-03-13T15:26:50.625Z",
"dateReserved": "2024-01-16T13:49:20.243Z",
"dateUpdated": "2026-04-08T16:55:07.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-24200 (GCVE-0-2021-24200)
Vulnerability from cvelistv5
Published
2021-04-12 13:59
Modified
2024-08-03 19:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - SQL Injection
Summary
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpDataTables | wpDataTables – Tables & Table Charts |
Version: 3.4.2 < 3.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.669Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wpDataTables \u2013 Tables \u0026 Table Charts",
"vendor": "wpDataTables",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "3.4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Veno Eivazian, Massimiliano Ferraresi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027length\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T13:59:38.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via length Parameter",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24200",
"STATE": "PUBLIC",
"TITLE": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via length Parameter"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.4.2",
"version_value": "3.4.2"
}
]
}
}
]
},
"vendor_name": "wpDataTables"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Veno Eivazian, Massimiliano Ferraresi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027length\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpdatatables.com/help/whats-new-changelog/",
"refsource": "MISC",
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
"refsource": "MISC",
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
},
{
"name": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/21aa7e18-0162-45bf-a5c6-ceee64ffa1f9"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24200",
"datePublished": "2021-04-12T13:59:38.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24199 (GCVE-0-2021-24199)
Vulnerability from cvelistv5
Published
2021-04-12 13:59
Modified
2024-08-03 19:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - SQL Injection
Summary
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpDataTables | wpDataTables – Tables & Table Charts |
Version: 3.4.2 < 3.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.723Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wpDataTables \u2013 Tables \u0026 Table Charts",
"vendor": "wpDataTables",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "3.4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Veno Eivazian, Massimiliano Ferraresi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027start\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T13:59:17.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via start Parameter",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24199",
"STATE": "PUBLIC",
"TITLE": "wpDataTables \u003c 3.4.2 - Blind SQL Injection via start Parameter"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.4.2",
"version_value": "3.4.2"
}
]
}
}
]
},
"vendor_name": "wpDataTables"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Veno Eivazian, Massimiliano Ferraresi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable\u0026table_id=1, on the \u0027start\u0027 HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpdatatables.com/help/whats-new-changelog/",
"refsource": "MISC",
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
"refsource": "MISC",
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
},
{
"name": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/5c98c2d6-d002-4cff-9d6f-633cb3ec6280"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24199",
"datePublished": "2021-04-12T13:59:17.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24198 (GCVE-0-2021-24198)
Vulnerability from cvelistv5
Published
2021-04-12 13:58
Modified
2024-08-03 19:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpDataTables | wpDataTables – Tables & Table Charts |
Version: 3.4.2 < 3.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.665Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wpDataTables \u2013 Tables \u0026 Table Charts",
"vendor": "wpDataTables",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "3.4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Veno Eivazian, Massimiliano Ferraresi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T13:58:49.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Data Deletion",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24198",
"STATE": "PUBLIC",
"TITLE": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Data Deletion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.4.2",
"version_value": "3.4.2"
}
]
}
}
]
},
"vendor_name": "wpDataTables"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Veno Eivazian, Massimiliano Ferraresi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpdatatables.com/help/whats-new-changelog/",
"refsource": "MISC",
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
"refsource": "MISC",
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
},
{
"name": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/d953bc62-8a6f-445b-a556-bc25cdd200e3"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24198",
"datePublished": "2021-04-12T13:58:49.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-24197 (GCVE-0-2021-24197)
Vulnerability from cvelistv5
Published
2021-04-12 13:58
Modified
2024-08-03 19:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpDataTables | wpDataTables – Tables & Table Charts |
Version: 3.4.2 < 3.4.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T19:21:18.696Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "wpDataTables \u2013 Tables \u0026 Table Charts",
"vendor": "wpDataTables",
"versions": [
{
"lessThan": "3.4.2",
"status": "affected",
"version": "3.4.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Veno Eivazian, Massimiliano Ferraresi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-04-12T13:58:04.000Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Permission Takeover",
"x_generator": "WPScan CVE Generator",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "contact@wpscan.com",
"ID": "CVE-2021-24197",
"STATE": "PUBLIC",
"TITLE": "wpDataTables \u003c 3.4.2 - Improper Access Control leading to Table Permission Takeover"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "wpDataTables \u2013 Tables \u0026 Table Charts",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "3.4.2",
"version_value": "3.4.2"
}
]
}
}
]
},
"vendor_name": "wpDataTables"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Veno Eivazian, Massimiliano Ferraresi"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The wpDataTables \u2013 Tables \u0026 Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table."
}
]
},
"generator": "WPScan CVE Generator",
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://wpdatatables.com/help/whats-new-changelog/",
"refsource": "MISC",
"url": "https://wpdatatables.com/help/whats-new-changelog/"
},
{
"name": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b",
"refsource": "CONFIRM",
"url": "https://wpscan.com/vulnerability/a56c04a4-dda0-4a7f-a525-d0349a1fda2b"
},
{
"name": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/",
"refsource": "MISC",
"url": "https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2021-24197",
"datePublished": "2021-04-12T13:58:04.000Z",
"dateReserved": "2021-01-14T00:00:00.000Z",
"dateUpdated": "2024-08-03T19:21:18.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}