Skip to main content

wpDataTables EUVDEUVD-2026-41283

| CVE-2026-57672 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-wh3h-pj4h-37rg
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-reachable XSS (AV:N/PR:N) requiring victim interaction (UI:R), with scope change into the site context (S:C) and limited browser-side C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:19 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in wpDataTables <= 6.5.1.1 versions.

AnalysisAI

Reflected/stored cross-site scripting in the wpDataTables WordPress plugin (versions 6.5.1.1 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they view a crafted page or follow a malicious link. The scope-change (S:C) rating in the CVSS vector indicates the injected script can affect resources beyond the vulnerable component - for example the wider WordPress site context - enabling session/cookie theft or admin-panel actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft URL with malicious script payload
Delivery
Lure victim to open crafted wpDataTables page
Exploit
Unsanitized input reflected into HTML
Execution
Script executes in site origin (scope change)
Impact
Steal session cookies or perform admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that the wpDataTables plugin (version 6.5.1.1 or earlier) is installed and that the vulnerable input-reflecting path is publicly reachable - no authentication is needed (PR:N), consistent with the "unauthenticated XSS" disclosure. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.1 (High) driven by AV:N/AC:L/PR:N/UI:R with a scope change (S:C) and Low impact across confidentiality, integrity, and availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or submits input to a wpDataTables-rendered page containing a malicious script payload, then lures a site visitor or administrator to open it (UI:R). When the victim's browser renders the unsanitized output, the script runs in the site's origin and, given the scope change, can steal session cookies, perform actions as the victim, or attempt admin-panel takeover. …
Remediation No exact vendor fix version is stated in the available data, so the specific patched release is not independently confirmed; consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-6-5-1-1-cross-site-scripting-xss-vulnerability) and the plugin's changelog and upgrade to the first release above 6.5.1.1 as soon as the vendor publishes it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for wpDataTables ≤6.5.1.1; immediately disable or uninstall the plugin until a vendor patch is released. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2021-26754 CRITICAL POC
9.8 Feb 08

wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order

CVE-2014-9175 HIGH POC
7.5 Dec 02

SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote

CVE-2023-4314 HIGH POC
7.2 Sep 11

The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deseriali

CVE-2026-49080 CRITICAL
9.3 Jun 16

SQL injection in the wpDataTables WordPress plugin versions 7.3.6 and earlier allows unauthenticated remote attackers to

CVE-2021-24198 HIGH
8.1 Apr 12

The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. Rated high s

CVE-2021-24197 HIGH
8.1 Apr 12

The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. Rated high s

CVE-2021-24200 MEDIUM
6.5 Apr 12

The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user

CVE-2021-24199 MEDIUM
6.5 Apr 12

The wpDataTables - Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user

CVE-2024-0591 MEDIUM
6.1 Mar 13

The wpDataTables - WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Refl

CVE-2023-23876 MEDIUM
5.4 May 03

Auth. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor pat

CVE-2022-29432 MEDIUM
4.8 May 20

Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-

Share

EUVD-2026-41283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy