CVE-2025-2939

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-2939
The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.

5.6 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.18/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399
https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.19/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399
https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399
https://www.wordfence.com/threat-intel/vulnerabilities/id/8e38553d-5dba-4c84-95f7-43420245c770?source=cve
Configurations

No configuration.

History

04 Jun 2025, 14:54

Type Values Removed Values Added
Summary
  • (es) El complemento Ninja Tables – Easy Data Table Builder para WordPress es vulnerable a la inyección de objetos PHP en todas las versiones hasta la 5.0.18 incluida, mediante la deserialización de entradas no confiables del parámetro args[callback]. Esto permite a atacantes no autenticados inyectar un objeto PHP. La presencia adicional de una cadena POP permite a los atacantes ejecutar funciones arbitrarias, aunque no permite parámetros proporcionados por el usuario; solo se pueden invocar funciones individuales, por lo que el impacto es limitado.

03 Jun 2025, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-03 03:15

Updated : 2025-06-04 14:54

NVD link : CVE-2025-2939

Mitre link : CVE-2025-2939

CVE.ORG link : CVE-2025-2939

JSON object : View

Products Affected

No product.

CWE
CWE-502

Deserialization of Untrusted Data