WordPress Plugin Vulnerabilities

Ninja Tables – Easy Data Table Builder < 5.0.19 - Unauthenticated PHP Object Injection to Limited Remote Code Execution

Description

The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.

Affects Plugins

Plugin icon
ninja-tables
Fixed in 5.0.19

References

CVE
CVE-2025-2939
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8e38553d-5dba-4c84-95f7-43420245c770

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
5.6 (medium)

Miscellaneous

Original Researcher
Trương Hữu Phúc (truonghuuphuc)
Verified
No
WPVDB ID
5806485d-a390-4b20-8036-d866b8164174

Timeline

Publicly Published
2025-06-02 (about 1 year ago)
Added
2025-06-02 (about 1 year ago)
Last Updated
2025-06-03 (about 1 year ago)

Other

Published
Title
Published
2025-01-07
Title
WC Price History for Omnibus < 2.1.5 - Authenticated (Shop manager+) PHP Object Injection
Published
2024-03-18
Title
Tourfic < 2.11.19 - Authenticated (Subscriber+) PHP Object Injection
Published
2026-03-16
Title
WooCommerce Infinite Scroll <= 1.6.2 - Authenticated (Subscriber+) PHP Object Injection
Published
2026-04-20
Title
EasyMeals < 1.6 - Unauthenticated PHP Object Injection
Published
2024-05-07
Title
Ultimate Store Kit Elementor Addons < 2.0.4 - Unauthenticated PHP Object Injection