Description
Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.
Published: 2026-06-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated SQL injection exists in the WordPress wpDataTables plugin versions 7.3.6 and earlier. This flaw allows attackers who can reach the plugin’s web interface to send specially crafted SQL statements that bypass the input sanitization logic. If successfully executed, an attacker could read, modify, or delete database records, potentially exposing sensitive data, tampering with site content, or escalating privileges to gain broader control over the WordPress installation. The weakness is classified as CWE‑89, the classic SQL injection vulnerability.

Affected Systems

Any WordPress site that has installed the wpDataTables plugin with a version of 7.3.6 or older is affected. Administrators of such sites should verify the plugin version and confirm it has not been updated to 7.4 or later.

Risk and Exploitability

The CVSS base score of 9.3 highlights a severe impact; the EPSS score of less than 1% indicates a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers typically target the plugin through unauthenticated HTTP requests directed at the plugin’s API endpoints, taking advantage of the fact that any user can craft the malicious SQL payload. Although the risk of exploitation remains low, the high severity score warrants prompt attention to prevent future increases in exploitation likelihood.

Generated by OpenCVE AI on June 17, 2026 at 19:33 UTC.

Remediation

Vendor Solution

Update the WordPress wpDataTables Plugin to the latest available version (at least 7.4).


OpenCVE Recommended Actions

  • Update the wpDataTables plugin to version 7.4 or later, which contains the necessary input validation fixes
  • If an immediate update is not possible, temporarily remove or disable the wpDataTables plugin to block unauthenticated requests
  • Review and harden database permissions, ensuring that the database account used by the WordPress installation has the minimal privileges required

Generated by OpenCVE AI on June 17, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Tms
Tms wpdatatables
Wordpress
Wordpress wordpress
Vendors & Products Tms
Tms wpdatatables
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.
Title WordPress wpDataTables plugin <= 7.3.6 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Tms Wpdatatables
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:36:36.277Z

Reserved: 2026-05-27T10:27:01.187Z

Link: CVE-2026-49080

cve-icon Vulnrichment

Updated: 2026-06-17T10:36:31.188Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:20Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')