Ninja Tables < 5.2.7 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation | CVE 2026-2306 | Plugin Vulnerabilities

Description

The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion.

Affects Plugins

Fixed in 5.2.7

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/592d42eb-4025-44af-a519-672656ad8b0e

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

nquangit

Verified

No

WPVDB ID

2318b7e9-b644-4e6c-b134-f9c2bed2215c

Timeline

Publicly Published

2026-05-05 (about 1 month ago)

Added

2026-05-05 (about 1 month ago)

Last Updated

2026-05-06 (about 1 month ago)

Other

Published

Title

Published

2022-11-21

Title

Betheme < 26.6.3 - Subscriber+ Unauthorised Action

Published

2023-11-01

Title

Funnelforms Free < 3.4.2 - Missing Authorization to Enable/Disable Dark Mode

Published

2025-01-16

Title

Delete All Posts <= 1.1.1 - Missing Authorization

Published

2022-01-12

Title

Ibtana < 1.1.4.9 - Subscriber+ Settings Update to Stored XSS

Published

2024-04-16

Title

WP Cookie Consent ( for GDPR, CCPA & ePrivacy ) < 3.1.0 - Missing Authorization to Unauthenticated Arbitrary Post Deletion