Description
Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.
Published: 2026-06-26
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated SQL injection flaw exists in the WordPress wpDataTables plugin for all versions up to 7.4. The vulnerability allows an attacker to inject arbitrary SQL commands through user-supplied input parameters, which can lead to reading, modifying or deleting database contents. The weakness is catalogued as CWE-89.

Affected Systems

The wpDataTables plugin from the vendor wpDataTables is affected. Any WordPress site running the plugin at versions 7.4 or earlier is susceptible, as the flaw is present in all of those releases.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating a very high severity. No EPSS score is available, but the vulnerability is unauthenticated and can be exercised through standard HTTP requests, making exploitation quite likely if a site is reachable. The issue is not listed in the CISA KEV catalog, yet it remains a significant risk to confidentiality and integrity of the database.

Generated by OpenCVE AI on June 26, 2026 at 17:51 UTC.

Remediation

Vendor Solution

Update the WordPress wpDataTables Plugin to the latest available version (at least 7.4.1).

OpenCVE Recommended Actions

  • Update the WordPress wpDataTables plugin to the latest available version (at least 7.4.1).
  • Restart the WordPress application or clear any caching layers to ensure the new plugin code is loaded.
  • Configure a Web Application Firewall or add custom rules to block malicious SQL injection patterns against wpDataTables plugin endpoints.

Generated by OpenCVE AI on June 26, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdatatables
Wpdatatables wpdatatables
Vendors & Products Wordpress
Wordpress wordpress
Wpdatatables
Wpdatatables wpdatatables

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.
Title WordPress wpDataTables plugin <= 7.4 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
Wpdatatables Wpdatatables
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:51:26.440Z

Reserved: 2026-06-16T09:21:51.802Z

Link: CVE-2026-54825

cve-icon Vulnrichment

Updated: 2026-06-26T15:51:20.515Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T21:15:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')