MEDIUM🇵🇱 Wersja polska

CVE-2025-2939

CVSS 5.6v3.1pub. 2025-06-03upd. 2025-07-10

The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
  • Wpmanageninja Ninja Tables

    APP
    Wpmanageninja
    < 5.0.19
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassDeserialization
CWE
References

Related vulnerabilities

CVE-2025-2940HIGH7.2ten sam produkt

The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery i...

CVE-2024-12772MEDIUM5.4ten sam produkt

The Ninja Tables WordPress plugin before 5.0.17 does not sanitize and escape a parameter before outputting it...

CVE-2024-7304MEDIUM6.4ten sam produkt

The Ninja Tables – Easiest Data Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scriptin...

CVE-2024-23504MEDIUM5.3ten sam produkt

Missing Authorization vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/...

CVE-2024-23503MEDIUM4.3ten sam produkt

Missing Authorization vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/...