Description
The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion.
Published: 2026-05-06
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Ninja Tables plugin contains a missing authorization check in the createFluentCartTable function, allowing any authenticated user with Subscriber-level access or higher to create arbitrary database tables. This can result in database pollution and – if the tables consume significant storage – resource exhaustion. The flaw is a missing authorization weakness, classified as CWE-862.

Affected Systems

WordPress sites that use the Ninja Tables – Easy Data Table Builder plugin from techjewel. Versions up to and including 5.2.6 lack the necessary authorization checks and are therefore vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk. EPSS information is not available and the vulnerability is not listed in CISA KEV, suggesting a lower likelihood of widespread exploitation. The likely attack vector is an authenticated HTTP request to the plugin’s createFluentCartTable endpoint, inferred from the code paths shown in the advisory. An attacker only needs a Subscriber or higher account to trigger table creation, which threatens database integrity and can consume storage.

Generated by OpenCVE AI on May 6, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Ninja Tables release that includes the missing authorization check.
  • Restrict the FluentCart module or createFluentCartTable endpoint so that only Administrators can trigger table creation.
  • If the FluentCart module is not needed, disable or remove it entirely.
  • Regularly monitor the database for unexpected tables and review integrity to detect any pollution.

Generated by OpenCVE AI on May 6, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Techjewel
Techjewel ninja Tables – Easy Data Table Builder
Wordpress
Wordpress wordpress
Vendors & Products Techjewel
Techjewel ninja Tables – Easy Data Table Builder
Wordpress
Wordpress wordpress

Wed, 06 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion.
Title Ninja Tables <= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-06T04:26:48.825Z

Reserved: 2026-02-10T20:14:05.573Z

Link: CVE-2026-2306

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T06:16:03.660

Modified: 2026-05-06T06:16:03.660

Link: CVE-2026-2306

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:21:17Z

Weaknesses