Skip to main content

wpDataTables CVE-2026-54825

| EUVDEUVD-2026-39672 CRITICAL
SQL Injection (CWE-89)
2026-06-26 audit@patchstack.com GHSA-q844-rcc5-845v
9.3
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.2 HIGH

Unauthenticated network SQLi with low complexity (PR:N/AV:N/AC:L); high confidentiality from data extraction, with limited integrity potential and scope kept Unchanged absent evidence of cross-component impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:32 vuln.today

DescriptionCVE.org

Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.

AnalysisAI

Unauthenticated SQL injection in the wpDataTables WordPress plugin (versions up to and including 7.4) lets remote attackers inject crafted SQL into database queries without any authentication or user interaction, exposing the WordPress backend database. With a CVSS 9.3 (critical) score and a CWE-89 root cause, the flaw enables extraction of sensitive data such as user credentials and configuration secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running wpDataTables ≤7.4
Delivery
Send crafted request to table endpoint
Exploit
Inject SQL via unsanitized parameter
Execution
Database executes attacker query
Impact
Exfiltrate credentials and sensitive data

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation of wpDataTables versions ≤ 7.4 over the network (AV:N/AC:L/PR:N/UI:N), with no user interaction required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) describes the worst realistic exposure profile for a web vulnerability: network-reachable, low complexity, no privileges, no user interaction, with a scope change and high confidentiality impact - consistent with unauthenticated SQL injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a wpDataTables endpoint, injecting SQL through a table or query parameter that is concatenated into a backend database query. The injected statement returns or infers WordPress data - such as the wp_users table - letting the attacker exfiltrate password hashes and secrets. …
Remediation No vendor-released patch version is identified at time of analysis from the provided data; the only reference is the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-7-4-sql-injection-vulnerability?_s_id=cve, which should be consulted for the official fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress instances running wpDataTables ≤7.4; deploy Web Application Firewall rules to block SQL injection patterns; disable plugin if business operations permit. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54825 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy