Impact
Unauthenticated SQL injection exists in the WordPress wpDataTables plugin versions 7.3.6 and earlier. This flaw allows attackers who can reach the plugin’s web interface to send specially crafted SQL statements that bypass the input sanitization logic. If successfully executed, an attacker could read, modify, or delete database records, potentially exposing sensitive data, tampering with site content, or escalating privileges to gain broader control over the WordPress installation. The weakness is classified as CWE‑89, the classic SQL injection vulnerability.
Affected Systems
Any WordPress site that has installed the wpDataTables plugin with a version of 7.3.6 or older is affected. Administrators of such sites should verify the plugin version and confirm it has not been updated to 7.4 or later.
Risk and Exploitability
The CVSS base score of 9.3 highlights a severe impact; the EPSS score of less than 1% indicates a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers typically target the plugin through unauthenticated HTTP requests directed at the plugin’s API endpoints, taking advantage of the fact that any user can craft the malicious SQL payload. Although the risk of exploitation remains low, the high severity score warrants prompt attention to prevent future increases in exploitation likelihood.
OpenCVE Enrichment