Ninja Tables
Moderate fix1 remedy
cpe:2.3:a:wpmanageninja:ninja_tables:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 5.0.18
Ninja Tables WordPress Plugin PHP Object Injection Vulnerability Allowing Limited Remote Code Execution
Vulnerability
Patched
A PHP Object Injection vulnerability has been identified in the Ninja Tables – Easy Data Table Builder plugin for WordPress, affecting all versions through 5.0.18. The vulnerability arises from the deserialization of untrusted input in the args[callback] parameter, allowing unauthenticated attackers to inject PHP objects. While the presence of a Property-Oriented Programming (POP) chain could enable the execution of arbitrary functions, the impact is limited as only single functions can be called without user-supplied parameters.
Impact
Exploitation of this vulnerability allows for PHP Object Injection, with the potential to execute arbitrary functions, although in a limited capacity.
Reproduction
To reproduce this vulnerability, send a request to a WordPress site with the Ninja Tables plugin installed, using a version through 5.0.18. Include a serialized PHP object in the args[callback] parameter. The deserialization of this input will trigger the PHP Object Injection vulnerability.
Remediation
Users are advised to update the Ninja Tables WordPress plugin to version 5.0.19 or a newer patched version.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
7.5exploitability
9.3remediation
7.7relevance
0.1threat
4.8urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.