Description
The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
Published: 2025-06-03
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via PHP Object Injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists in the Ninja Tables – Easy Data Table Builder WordPress plugin up through version 5.0.18. An attacker can supply untrusted data in the args[callback] parameter, causing the plugin to deserialize PHP objects without proper validation. The deserialization flaw enables PHP Object Injection, which, combined with a pre‑existing POP chain, allows the execution of arbitrary PHP functions. Although the effect is limited to a handful of functions and does not provide user‑supplied parameters, the ability to run code remotely satisfies the definition of Remote Code Execution.

Affected Systems

This flaw affects the plugin Ninja Tables – Easy Data Table Builder distributed by Techjewel for WordPress. Any WordPress installation running the plugin at version 5.0.18 or earlier is susceptible.

Risk and Exploitability

The CVSS score of 5.6 classifies the vulnerability as moderate severity. The EPSS score is less than 1%, indicating a low but non‑zero likelihood of exploitation. It is not listed in the CISA KEV catalog, suggesting no publicly reported exploit yet. Attackers could exploit the flaw by sending a crafted HTTP request containing the malicious args[callback] payload to any public WordPress site that hosts the vulnerable plugin. The lack of authenticated prerequisites means the attack vector is open to anyone with network access to the target.

Generated by OpenCVE AI on April 22, 2026 at 01:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ninja Tables plugin to version 5.0.19 or later on all WordPress installations.
  • If an upgrade is not immediately possible, deactivate the plugin to block unauthenticated access to the vulnerable endpoint.
  • Review any REST API or XML‑RPC configurations that expose the args[callback] parameter and restrict or remove unauthenticated calls to those endpoints.

Generated by OpenCVE AI on April 22, 2026 at 01:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16743 The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00045}

 epss

{'score': 0.00063}

Thu, 10 Jul 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wpmanageninja
Wpmanageninja ninja Tables
CPEs cpe:2.3:a:wpmanageninja:ninja_tables:*:*:*:*:*:wordpress:*:*
Vendors & Products Wpmanageninja
Wpmanageninja ninja Tables

Tue, 03 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Jun 2025 03:15:00 +0000

Type Values Removed Values Added
Description The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
Title Ninja Tables – Easy Data Table Builder <= 5.0.18 - Unauthenticated PHP Object Injection to Limited Remote Code Execution
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 5.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Wpmanageninja Ninja Tables
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:18.334Z

Reserved: 2025-03-28T17:36:43.707Z

Link: CVE-2025-2939

cve-icon Vulnrichment

Updated: 2025-06-03T14:51:22.428Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-03T03:15:27.137

Modified: 2025-07-10T14:20:31.850

Link: CVE-2025-2939

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses