Ninja Tables – Easy Data Table Builder < 5.0.19 – Unauthenticated Server-Side Request Forgery | CVE 2025-2940 | Plugin Vulnerabilities

Description

The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.18 via the args[url] parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

Fixed in 5.0.19

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/02480559-be5c-4d23-9e62-bb76fafb4f42

Classification

Type

SSRF

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

e308fe4c-9826-4858-bb70-9e0098e3a079

Timeline

Publicly Published

2025-06-26 (about 11 months ago)

Added

2025-06-26 (about 11 months ago)

Last Updated

2025-06-27 (about 11 months ago)

Other

Published

Title

Published

2025-10-03

Title

Orbit Fox < 3.0.2 - Author+ Server-Side Request Forgery

Published

2025-11-23

Title

External Media <= 1.0.36 - Authenticated (Contributor+) Server-Side Request Forgery

Published

2025-09-09

Title

WP eBay Product Feeds < 3.4.9 - Authenticated (Contributor+) Server Side Request Forgery

Published

2025-04-09

Title

PowerPress Podcasting < 11.12.7 - Contributor+ SSRF

Published

2024-04-22

Title

BuddyForms < 2.8.9 - Unauthenticated Arbitrary File Read and Server-Side Request Forgery