wpDataTables < 3.4.1 – Unauthenticated SQL Injection | CVE 2021-26754

Description

In the default configuration, a simple table can be published in a page that does not require authentication. The table can be searched, and is vulnerable to SQL Injection via the order parameter. An unauthenticated user visiting the page where the table is published can perform a SQL injection attack in the table search parameter order[0][dir]

Note: This affect the premium version of the plugin, however, both the premium and free plugins have the same slug.

Proof of Concept

https://example.com/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1&order[0][dir]=SQLi

Affects Plugins

wpdatatables

Fixed in 3.4.1

References

CVE

CVE-2021-26754

URL

https://n4nj0.github.io/advisories/wordpress-plugin-wpdatatables-i/

URL

https://wpdatatables.com/help/whats-new-changelog/

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

9.8 (critical)

Miscellaneous

Original Researcher

Massimiliano Ferraresi, Veno Eivazian

Verified

WPVDB ID

bfd0cfd9-0d6a-47bb-9d73-762ddc138129

Timeline

Publicly Published

2021-02-04 (about 5 years ago)

Added

2021-03-25 (about 5 years ago)

Last Updated

2021-07-18 (about 4 years ago)

Other

Published

Title

Published

2014-08-01

Title

ForumConverter - SQL Injection

Published

2024-09-18

Title

Welcart e-Commerce < 2.11.2 - Authenticated (Admin+) SQL Injection

Published

2024-06-20

Title

Themify - WooCommerce Product Filter < 1.5.0 - Unauthenticated SQL Injection via conditions Parameter

Published

2014-09-19

Title

HDW Player 2.4.2 - wp-admin/admin.php videos Page id Parameter SQL Injection

Published

2025-05-21

Title

Binary MLM Plan < 5.0 - Unauthenticated SQL Injection