Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Unauthenticated network-reachable XSS (AV:N/PR:N) requiring victim interaction (UI:R), with scope change into the site context (S:C) and limited browser-side C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in wpDataTables <= 6.5.1.1 versions.
AnalysisAI
Reflected/stored cross-site scripting in the wpDataTables WordPress plugin (versions 6.5.1.1 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view a crafted page or follow a malicious link. The scope-change (S:C) rating in the CVSS vector indicates the injected script can affect resources beyond the vulnerable component - for example the wider WordPress site context - enabling session/cookie theft or admin-panel actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the wpDataTables plugin (version 6.5.1.1 or earlier) is installed and that the vulnerable input-reflecting path is publicly reachable - no authentication is needed (PR:N), consistent with the "unauthenticated XSS" disclosure. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score is 7.1 (High) driven by AV:N/AC:L/PR:N/UI:R with a scope change (S:C) and Low impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or submits input to a wpDataTables-rendered page containing a malicious script payload, then lures a site visitor or administrator to open it (UI:R). When the victim's browser renders the unsanitized output, the script runs in the site's origin and, given the scope change, can steal session cookies, perform actions as the victim, or attempt admin-panel takeover. … |
| Remediation | No exact vendor fix version is stated in the available data, so the specific patched release is not independently confirmed; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-6-5-1-1-cross-site-scripting-xss-vulnerability) and the plugin's changelog and upgrade to the first release above 6.5.1.1 as soon as the vendor publishes it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for wpDataTables ≤6.5.1.1; immediately disable or uninstall the plugin until a vendor patch is released. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Wpdatatables
View allwpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order
SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote
The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deseriali
SQL injection in the wpDataTables WordPress plugin versions 7.3.6 and earlier allows unauthenticated remote attackers to
The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. Rated high s
The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. Rated high s
The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user
The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user
The wpDataTables - WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Refl
Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41283
GHSA-wh3h-pj4h-37rg