Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for Ninja Tables – Easy Data Table Builder by techjewel

    CVE-2026-2306 (GCVE-0-2026-2306)

    Vulnerability from nvd – Published: 2026-05-06 04:26 – Updated: 2026-05-06 14:33
    VLAI
    Title
    Ninja Tables <= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation
    Summary
    The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Quang Huynh Ngoc
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2306",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T14:33:34.403403Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T14:33:46.147Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ninja Tables \u2013 Easy Data Table Builder",
              "vendor": "techjewel",
              "versions": [
                {
                  "lessThanOrEqual": "5.2.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Quang Huynh Ngoc"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ninja Tables \u2013 Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T04:26:48.825Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/592d42eb-4025-44af-a519-672656ad8b0e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/app/Modules/FluentCart/Handlers/FluentCartHandler.php#L44"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.2.6/app/Modules/FluentCart/Handlers/FluentCartHandler.php#L44"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/app/Modules/FluentCart/FluentCartModule.php#L23"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.2.6/app/Modules/FluentCart/FluentCartModule.php#L23"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3453522%40ninja-tables%2Ftrunk\u0026old=3447894%40ninja-tables%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-28T17:02:32.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-05T15:30:47.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Ninja Tables \u003c= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2306",
        "datePublished": "2026-05-06T04:26:48.825Z",
        "dateReserved": "2026-02-10T20:14:05.573Z",
        "dateUpdated": "2026-05-06T14:33:46.147Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2940 (GCVE-0-2025-2940)

    Vulnerability from nvd – Published: 2025-06-27 08:23 – Updated: 2026-04-08 16:32
    VLAI
    Title
    Ninja Tables – Easy Data Table Builder <= 5.0.18 - Unauthenticated Server-Side Request Forgery
    Summary
    The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.18 via the args[url] parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Credits
    Trương Hữu Phúc (truonghuuphuc)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2940",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-27T13:34:23.990792Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-27T13:34:55.809Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ninja Tables \u2013 Easy Data Table Builder",
              "vendor": "techjewel",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.18",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ninja Tables \u2013 Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.18 via the args[url] parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:32:40.188Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02480559-be5c-4d23-9e62-bb76fafb4f42?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L268"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.18/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L268"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3269692%40ninja-tables\u0026new=3269692%40ninja-tables\u0026sfp_email=\u0026sfph_mail="
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.19/vendor/wpfluent/framework/src/WPFluent/Http/Client.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-12T11:15:33.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-06-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Ninja Tables \u2013 Easy Data Table Builder \u003c= 5.0.18 - Unauthenticated Server-Side Request Forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2940",
        "datePublished": "2025-06-27T08:23:57.327Z",
        "dateReserved": "2025-03-28T17:41:37.931Z",
        "dateUpdated": "2026-04-08T16:32:40.188Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2939 (GCVE-0-2025-2939)

    Vulnerability from nvd – Published: 2025-06-03 02:27 – Updated: 2026-04-08 17:06
    VLAI
    Title
    Ninja Tables – Easy Data Table Builder <= 5.0.18 - Unauthenticated PHP Object Injection to Limited Remote Code Execution
    Summary
    The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Credits
    Trương Hữu Phúc (truonghuuphuc)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2939",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-03T14:51:18.334809Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-03T14:51:37.647Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ninja Tables \u2013 Easy Data Table Builder",
              "vendor": "techjewel",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.18",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ninja Tables \u2013 Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:06:18.334Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e38553d-5dba-4c84-95f7-43420245c770?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.18/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.19/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-02T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Ninja Tables \u2013 Easy Data Table Builder \u003c= 5.0.18 - Unauthenticated PHP Object Injection to Limited Remote Code Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2939",
        "datePublished": "2025-06-03T02:27:34.986Z",
        "dateReserved": "2025-03-28T17:36:43.707Z",
        "dateUpdated": "2026-04-08T17:06:18.334Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-7304 (GCVE-0-2024-7304)

    Vulnerability from nvd – Published: 2024-08-27 06:48 – Updated: 2026-04-08 17:16
    VLAI
    Title
    Ninja Tables – Easiest Data Table Builder <= 5.0.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
    Summary
    The Ninja Tables – Easiest Data Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7304",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-27T13:56:12.623600Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-27T13:56:41.164Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ninja Tables \u2013 Easy Data Table Builder",
              "vendor": "techjewel",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ninja Tables \u2013 Easiest Data Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:16:20.760Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1eb6896-2de3-4d4d-9b5f-253aaffd193b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.12/app/Hooks/filters.php#L28"
            },
            {
              "url": "https://wordpress.org/plugins/ninja-tables/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3140370/#file408"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3140370/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-08-26T18:30:02.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Ninja Tables \u2013 Easiest Data Table Builder \u003c= 5.0.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-7304",
        "datePublished": "2024-08-27T06:48:04.267Z",
        "dateReserved": "2024-07-30T18:21:40.600Z",
        "dateUpdated": "2026-04-08T17:16:20.760Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2306 (GCVE-0-2026-2306)

    Vulnerability from cvelistv5 – Published: 2026-05-06 04:26 – Updated: 2026-05-06 14:33
    VLAI
    Title
    Ninja Tables <= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation
    Summary
    The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Quang Huynh Ngoc
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2306",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T14:33:34.403403Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T14:33:46.147Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ninja Tables \u2013 Easy Data Table Builder",
              "vendor": "techjewel",
              "versions": [
                {
                  "lessThanOrEqual": "5.2.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Quang Huynh Ngoc"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ninja Tables \u2013 Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T04:26:48.825Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/592d42eb-4025-44af-a519-672656ad8b0e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/app/Modules/FluentCart/Handlers/FluentCartHandler.php#L44"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.2.6/app/Modules/FluentCart/Handlers/FluentCartHandler.php#L44"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/app/Modules/FluentCart/FluentCartModule.php#L23"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.2.6/app/Modules/FluentCart/FluentCartModule.php#L23"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3453522%40ninja-tables%2Ftrunk\u0026old=3447894%40ninja-tables%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-28T17:02:32.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-05T15:30:47.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Ninja Tables \u003c= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2306",
        "datePublished": "2026-05-06T04:26:48.825Z",
        "dateReserved": "2026-02-10T20:14:05.573Z",
        "dateUpdated": "2026-05-06T14:33:46.147Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2940 (GCVE-0-2025-2940)

    Vulnerability from cvelistv5 – Published: 2025-06-27 08:23 – Updated: 2026-04-08 16:32
    VLAI
    Title
    Ninja Tables – Easy Data Table Builder <= 5.0.18 - Unauthenticated Server-Side Request Forgery
    Summary
    The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.18 via the args[url] parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Credits
    Trương Hữu Phúc (truonghuuphuc)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2940",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-27T13:34:23.990792Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-27T13:34:55.809Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ninja Tables \u2013 Easy Data Table Builder",
              "vendor": "techjewel",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.18",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ninja Tables \u2013 Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.18 via the args[url] parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:32:40.188Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02480559-be5c-4d23-9e62-bb76fafb4f42?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L268"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.18/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L268"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3269692%40ninja-tables\u0026new=3269692%40ninja-tables\u0026sfp_email=\u0026sfph_mail="
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.19/vendor/wpfluent/framework/src/WPFluent/Http/Client.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-12T11:15:33.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2025-06-26T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Ninja Tables \u2013 Easy Data Table Builder \u003c= 5.0.18 - Unauthenticated Server-Side Request Forgery"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2940",
        "datePublished": "2025-06-27T08:23:57.327Z",
        "dateReserved": "2025-03-28T17:41:37.931Z",
        "dateUpdated": "2026-04-08T16:32:40.188Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-2939 (GCVE-0-2025-2939)

    Vulnerability from cvelistv5 – Published: 2025-06-03 02:27 – Updated: 2026-04-08 17:06
    VLAI
    Title
    Ninja Tables – Easy Data Table Builder <= 5.0.18 - Unauthenticated PHP Object Injection to Limited Remote Code Execution
    Summary
    The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-502 - Deserialization of Untrusted Data
    Assigner
    Impacted products
    Credits
    Trương Hữu Phúc (truonghuuphuc)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2939",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-06-03T14:51:18.334809Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-03T14:51:37.647Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ninja Tables \u2013 Easy Data Table Builder",
              "vendor": "techjewel",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.18",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tr\u01b0\u01a1ng H\u1eefu Ph\u00fac (truonghuuphuc)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ninja Tables \u2013 Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "CWE-502 Deserialization of Untrusted Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:06:18.334Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e38553d-5dba-4c84-95f7-43420245c770?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.18/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.19/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-06-02T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Ninja Tables \u2013 Easy Data Table Builder \u003c= 5.0.18 - Unauthenticated PHP Object Injection to Limited Remote Code Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-2939",
        "datePublished": "2025-06-03T02:27:34.986Z",
        "dateReserved": "2025-03-28T17:36:43.707Z",
        "dateUpdated": "2026-04-08T17:06:18.334Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-7304 (GCVE-0-2024-7304)

    Vulnerability from cvelistv5 – Published: 2024-08-27 06:48 – Updated: 2026-04-08 17:16
    VLAI
    Title
    Ninja Tables – Easiest Data Table Builder <= 5.0.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
    Summary
    The Ninja Tables – Easiest Data Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7304",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-27T13:56:12.623600Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-27T13:56:41.164Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ninja Tables \u2013 Easy Data Table Builder",
              "vendor": "techjewel",
              "versions": [
                {
                  "lessThanOrEqual": "5.0.12",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Ninja Tables \u2013 Easiest Data Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:16:20.760Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1eb6896-2de3-4d4d-9b5f-253aaffd193b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.12/app/Hooks/filters.php#L28"
            },
            {
              "url": "https://wordpress.org/plugins/ninja-tables/#developers"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3140370/#file408"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3140370/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-08-26T18:30:02.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Ninja Tables \u2013 Easiest Data Table Builder \u003c= 5.0.12 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-7304",
        "datePublished": "2024-08-27T06:48:04.267Z",
        "dateReserved": "2024-07-30T18:21:40.600Z",
        "dateUpdated": "2026-04-08T17:16:20.760Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }