CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-4314 – wpDataTables < 2.1.66 - Admin+ PHP Object Injection
https://notcve.org/view.php?id=CVE-2023-4314
16 Aug 2023 — The wpDataTables WordPress plugin before 2.1.66 does not validate the "Serialized PHP array" input data before deserializing the data. This allows admins to deserialize arbitrary data which may lead to remote code execution if a suitable gadget chain is present on the server. This is impactful in environments where admin users should not be allowed to execute arbitrary code, such as multisite. El complemento de WordPress wpDataTables anterior a 2.1.66 no valida los datos de entrada de la "Serialized PHP arr... • https://wpscan.com/vulnerability/1ab192d7-72ac-4f12-8a51-f28ee4db91bc • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23876 – WordPress wpDataTables Plugin <= 2.1.49 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-23876
20 Feb 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in TMS-Plugins wpDataTables plugin <= 2.1.49 versions. The wpDataTables plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Auth... • https://patchstack.com/database/vulnerability/wpdatatables/wordpress-wpdatatables-wordpress-tables-table-charts-plugin-plugin-2-1-49-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-29432 – WordPress wpDataTables plugin <= 2.1.27 - Multiple Authenticated Persistent Cross-Site Scripting (XSS) vulnerabilities
https://notcve.org/view.php?id=CVE-2022-29432
06 May 2022 — Multiple Authenticated (administrator or higher user role) Persistent Cross-Site Scripting (XSS) vulnerabilities in TMS-Plugins wpDataTables plugin <= 2.1.27 on WordPress via &data-link-text, &data-link-url, &data, &data-shortcode, &data-star-num vulnerable parameters. Múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) persistentes y autenticadas (administrador o rol de usuario superior) en el plugin TMS-Plugins wpDataTables versiones anteriores a 2.1.27 incluyéndola, en WordPress por medio de lo... • https://patchstack.com/database/vulnerability/wpdatatables/wordpress-wpdatatables-plugin-2-1-27-multiple-authenticated-persistent-cross-site-scripting-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24197 – wpDataTables < 3.4.2 - Improper Access Control leading to Table Permission Takeover
https://notcve.org/view.php?id=CVE-2021-24197
16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to access the data of another user that are present in the same table by taking over the user permissions on the table through formdata[wdt_ID] parameter. By exploiting this issue an attacker is able to access and manage the data of all users in the same table. El plugin wpDataTables – Tables... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24198 – wpDataTables < 3.4.2 - Improper Access Control leading to Table Data Deletion
https://notcve.org/view.php?id=CVE-2021-24198
16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 has Improper Access Control. A low privilege authenticated user that visits the page where the table is published can tamper the parameters to delete the data of another user that are present in the same table through id_key and id_val parameters. By exploiting this issue an attacker is able to delete the data of all users in the same table. El plugin wpDataTables – Tables & Table Charts premium WordPress versiones anteriores... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24199 – wpDataTables < 3.4.2 - Blind SQL Injection via start Parameter
https://notcve.org/view.php?id=CVE-2021-24199
16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. El plugin wp DataTables – Tables & Table Charts premium WordPress versiones anteriores a 3.4.2, perm... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24200 – wpDataTables < 3.4.2 - Blind SQL Injection via length Parameter
https://notcve.org/view.php?id=CVE-2021-24200
16 Mar 2021 — The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'length' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application. El plugin wpDataTables – Tables & Table Charts premium WordPress versiones anteriores a 3.4.2, perm... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2021-26754 – wpDataTables (Premium) <= 3.4 - SQL Injection
https://notcve.org/view.php?id=CVE-2021-26754
02 Feb 2021 — wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection. wpDataTables versiones anteriores a 3.4.1, maneja inapropiadamente una dirección de pedido para las tablas del lado del servidor, también se conoce como inyección SQL order[0][dir] de admin-ajax.php?action=get_wdtable wpDataTables before 3.4.1 mishandles order direction for server-side tables, aka admin-ajax.php?action=get_wdtable order[0][dir] SQL injection. Please... • https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 5CVE-2014-9175 – wpDataTables (Premium) <= 1.5.3 - SQL Injection
https://notcve.org/view.php?id=CVE-2014-9175
23 Nov 2014 — SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php. Vulnerabilidad de inyección SQL en wpdatatables.php en el plugin wpDataTables 1.5.3 y anteriores para WordPress permite a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro table_id en una acción get_wdtable en wp-admin/admin-ajax.php. • https://www.exploit-db.com/exploits/35340 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •