Skip to main content

wpDataTables CVE-2026-49080

| EUVDEUVD-2026-37496 CRITICAL
SQL Injection (CWE-89)
2026-06-16 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
9.3 CRITICAL

Unauthenticated network-reachable SQLi (AV:N/AC:L/PR:N/UI:N); scope changes to the WordPress DB (S:C); read-oriented data exposure drives C:H, no integrity change, minor A:L from query load.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:25 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.

AnalysisAI

SQL injection in the wpDataTables WordPress plugin versions 7.3.6 and earlier allows unauthenticated remote attackers to inject crafted SQL into backend database queries, with CVSS 9.3 reflecting a scope-changed impact that reaches beyond the plugin's own data context. The CVSS vector indicates high confidentiality impact and low availability impact with no integrity impact, suggesting the flaw is primarily useful for extracting sensitive WordPress data (including credentials and PII) rather than tampering with records. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint WordPress site running wpDataTables
Delivery
Identify vulnerable AJAX/REST endpoint
Exploit
Inject SQL via table/filter parameter
Execution
Enumerate schema via UNION or blind techniques
Persist
Exfiltrate wp_users hashes and secrets
Impact
Crack hashes and authenticate as admin

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of any WordPress site with the wpDataTables plugin installed at version 7.3.6 or below, per CVSS AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to genuine high priority: CVSS 9.3 with AV:N/AC:L/PR:N/UI:N means a remote, unauthenticated, low-complexity attack with no user interaction, and the S:C (scope change) reflects database access crossing the plugin's authorization boundary into broader WordPress data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates a public WordPress site running wpDataTables ≤ 7.3.6 (fingerprintable via /wp-content/plugins/wpdatatables/ asset paths) and sends a crafted HTTP request to a vulnerable AJAX/REST endpoint with a SQL payload in a table, filter, or sort parameter. They use UNION-based or time-based blind injection to enumerate wp_users and dump administrator password hashes and email addresses, then crack the hashes offline or pivot to wp_options to steal API keys and integration secrets. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed from the provided data - administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-7-3-6-sql-injection-vulnerability) and the TMS Plugins changelog to identify and install the first version above 7.3.6 that contains the fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations to identify systems running wpDataTables and document current versions in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-26754 CRITICAL POC
9.8 Feb 08

wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order

CVE-2014-9175 HIGH POC
7.5 Dec 02

SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote

CVE-2023-4314 HIGH POC
7.2 Sep 11

The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deseriali

CVE-2021-24198 HIGH
8.1 Apr 12

The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. Rated high s

CVE-2021-24197 HIGH
8.1 Apr 12

The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. Rated high s

CVE-2026-57672 HIGH
7.1 Jul 02

Reflected/stored cross-site scripting in the wpDataTables WordPress plugin (versions 6.5.1.1 and earlier) allows unauthe

CVE-2021-24200 MEDIUM
6.5 Apr 12

The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user

CVE-2021-24199 MEDIUM
6.5 Apr 12

The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user

CVE-2024-0591 MEDIUM
6.1 Mar 13

The wpDataTables - WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Refl

CVE-2023-23876 MEDIUM
5.4 May 03

Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor pat

CVE-2022-29432 MEDIUM
4.8 May 20

Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-

Share

CVE-2026-49080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy