How is CVE-2026-49080 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the WordPress installation. Authentication (not-required): No account or session credential of any kind is needed to reach or exploit the vulnerable parameter. Victim interaction (not-required): The attack is fully server-side; no user action such as clicking a link or visiting a page is required. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions, memory-layout dependencies, or other environmental factors required.

What is the impact of CVE-2026-49080?

Attacker can read arbitrary rows from the WordPress database, including stored user credentials, session tokens, private post content, and plugin configuration data. Database confidentiality is fully compromised within the scope of the MySQL user account the WordPress installation uses, which commonly spans multiple tables and in shared-hosting environments may span multiple sites. The A:L impact rating indicates the attacker can cause partial availability disruption, such as resource exhaustion on the database server through query flooding.

Back to search

CRITICALCVE-2026-49080Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-49080: WordPress wpDataTables plugin <= 7.3.6 - SQL Injection vulnerability

Q: What is CVE-2026-49080?

An unauthenticated SQL injection vulnerability affects the wpDataTables WordPress plugin at version 7.3.6 and earlier. The flaw is reachable over the network without any login or account, meaning any external attacker who can reach the WordPress site can send a crafted request directly to the vulnerable endpoint. Successful exploitation gives the attacker read access to database contents and limited ability to disrupt service availability. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available the moment an upstream fix is released.

Q: Is CVE-2026-49080 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a pull request against affected workloads will be initiated without manual intervention.

Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the wpDataTables WordPress plugin at version 7.3.6 and earlier. The flaw is reachable over the network without any login or account, meaning any external attacker who can reach the WordPress site can send a crafted request directly to the vulnerable endpoint. Successful exploitation gives the attacker read access to database contents and limited ability to disrupt service availability. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images containing wpDataTables 7.3.6 or earlier, including custom-built WordPress images. Any affected image in a connected registry or CI pipeline is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.3 (Critical) and weighting that score against each customer environment's compliance policy to determine escalation priority. Findings are routable to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a pull request against affected workloads will be initiated without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to send HTTP requests to the WordPress installation.
AuthenticationNot required
No account or session credential of any kind is needed to reach or exploit the vulnerable parameter.
Victim interactionNot required
The attack is fully server-side; no user action such as clicking a link or visiting a page is required.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions, memory-layout dependencies, or other environmental factors required.

Blast Radius

Attacker can read arbitrary rows from the WordPress database, including stored user credentials, session tokens, private post content, and plugin configuration data.
Database confidentiality is fully compromised within the scope of the MySQL user account the WordPress installation uses, which commonly spans multiple tables and in shared-hosting environments may span multiple sites.
The A:L impact rating indicates the attacker can cause partial availability disruption, such as resource exhaustion on the database server through query flooding.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active against any image containing wpDataTables 7.3.6 or earlier, flagged at Critical severity the moment the image is scanned. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger a patched-image rebuild automatically when a fix is published; customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual steps. In the interim, compensating controls available through HarborGuard policy enforcement include network-policy isolation to restrict public access to the WordPress admin and data-table endpoints, egress filtering to limit database lateral movement, and alerting on any new image push that introduces the affected package version. Review WordPress-level controls such as web application firewall rules targeting SQL metacharacters in table-query parameters as an additional layer while the upstream fix is pending.

See how HarborGuard automates this

Affected packages

TMS / wpDataTables
≤ 7.3.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified