WordPress Plugin Vulnerabilities

wpDataTables < 3.4.2 - Blind SQL Injection via start Parameter

Description

The plugin allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.

Note: This affect the premium version of the plugin, however, both the premium and free plugins have the same slug.

Affects Plugins

Plugin icon
wpdatatables
Fixed in 3.4.2

References

CVE
CVE-2021-24199
URL
https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-ii/
URL
https://wpdatatables.com/help/whats-new-changelog/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Veno Eivazian, Massimiliano Ferraresi
Submitter
Veno Eivazian
Submitter website
https://n4nj0.github.io/
Verified
Yes
WPVDB ID
5c98c2d6-d002-4cff-9d6f-633cb3ec6280

Timeline

Publicly Published
2021-03-16 (about 4 years ago)
Added
2021-03-25 (about 4 years ago)
Last Updated
2021-03-28 (about 4 years ago)

Other

Published
Title
Published
2021-09-21
Title
Game Server Status <= 1.0 - Admin+ SQL Injection
Published
2024-04-03
Title
REHub Framework < 19.6.2 - Authenticated (Subscriber+) SQL Injection
Published
2018-08-16
Title
Chained Quiz <= 1.0.8 - Unauthenticated SQL Injection
Published
2025-07-29
Title
Smart Slider 3 < 3.5.1.29 - Admin+ SQL Injection
Published
2023-12-21
Title
Post SMTP < 2.8.7 - Admin+ SQL Injection