wpDataTables (Premium) < 6.5.0.2 – Unauthenticated Local File Inclusion | CVE 2026-28039

Description

The wpDataTables (Premium) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 6.5.0.1. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.

Proof of Concept

The PoC will be displayed on April 03, 2026, to give users the time to update.

Affects Plugins

wpdatatables

Fixed in 6.5.0.2

References

CVE

CVE-2026-28039

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/9cad3174-b1af-4e23-be72-6afb2d6cea84

Classification

Type

RFI

OWASP top 10

A1: Injection

CWE

CWE-98

CVSS

8.1 (high)

Miscellaneous

Original Researcher

Nguyen Xuan Chien

Verified

Yes

WPVDB ID

01182d0b-ccfc-4093-88a1-3a9320d00b89

Timeline

Publicly Published

2026-03-03 (about 8 days ago)

Added

2026-03-05 (about 5 days ago)

Last Updated

2026-03-09 (about 1 day ago)

Other

Published

Title

Published

2025-12-31

Title

PartyMaker <= 1.1.15 - Unauthenticated Local File Inclusion

Published

2025-07-28

Title

Premmerce User Roles < 1.0.14 - Unauthenticated Local File Inclusion

Published

2025-07-07

Title

WoodMart < 8.2.4 - Authenticated (Contributor+) Local File Inclusion

Published

2025-08-23

Title

Frame <= 2.4.0 - Unauthenticated Local File Inclusion

Published

2026-01-19

Title

Werkstatt < 4.8.3 - Unauthenticated Local File Inclusion