Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Unauthenticated network SQLi with low complexity (PR:N/AV:N/AC:L); high confidentiality from data extraction, with limited integrity potential and scope kept Unchanged absent evidence of cross-component impact.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.
AnalysisAI
Unauthenticated SQL injection in the wpDataTables WordPress plugin (versions up to and including 7.4) lets remote attackers inject crafted SQL into database queries without any authentication or user interaction, exposing the WordPress backend database. With a CVSS 9.3 (critical) score and a CWE-89 root cause, the flaw enables extraction of sensitive data such as user credentials and configuration secrets. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation of wpDataTables versions ≤ 7.4 over the network (AV:N/AC:L/PR:N/UI:N), with no user interaction required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) describes the worst realistic exposure profile for a web vulnerability: network-reachable, low complexity, no privileges, no user interaction, with a scope change and high confidentiality impact - consistent with unauthenticated SQL injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP request to a wpDataTables endpoint, injecting SQL through a table or query parameter that is concatenated into a backend database query. The injected statement returns or infers WordPress data - such as the wp_users table - letting the attacker exfiltrate password hashes and secrets. … |
| Remediation | No vendor-released patch version is identified at time of analysis from the provided data; the only reference is the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-7-4-sql-injection-vulnerability?_s_id=cve, which should be consulted for the official fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all WordPress instances running wpDataTables ≤7.4; deploy Web Application Firewall rules to block SQL injection patterns; disable plugin if business operations permit. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39672
GHSA-q844-rcc5-845v