CVE-2026-54825: WordPress wpDataTables plugin <= 7.4 - SQL Injection vulnerability
Unauthenticated SQL Injection in wpDataTables <= 7.4 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the wpDataTables WordPress plugin at version 7.4 and earlier. The flaw is reachable over the network with no login or authentication required, meaning any internet-facing WordPress site running the affected plugin is exposed. Successful exploitation gives an attacker full read access to the underlying database and limited ability to disrupt availability. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment. The CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images, including custom-built WordPress-based images, in registry scans and CI pipeline checks.
AvailableTriage is available with the full CVSS v3.1 score of 9.3 (Critical) applied automatically, weighted against each customer organization's compliance policy to determine urgency routing. Findings are surfaced to the appropriate team inbox within each customer org based on configured severity thresholds and ownership rules.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, advisory status updates are surfaced automatically to affected environments as new information is ingested.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP or HTTPS.
- AuthenticationNot required
No account or session credential of any privilege level is needed to trigger the SQL injection.
- Victim interactionNot required
The attack is fully automated and does not require any action from a logged-in user or site visitor.
- Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental factors required.
Blast Radius
- An attacker can read arbitrary rows from the WordPress database, including stored user credentials, password hashes, session tokens, and any customer or application data held in the database.
- Because WordPress installations typically store plugin configuration, API keys, and integration secrets in the database, those values are exposed to extraction.
- The availability impact is low but present; an attacker can craft queries that increase database load or degrade query response times for the affected site.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-54825 is active across all customer environments running image scans or pipeline checks that include wpDataTables-bearing WordPress images. Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory and the wpDataTables release feed on every ingest cycle. The moment a patched version is published upstream, a rebuilt image at that version becomes available, and customers with auto-remediation enabled will receive an automatic rebuild, a regression test run, and a PR opened against affected workloads. Until a fix is available, recommended compensating controls include applying a web application firewall rule to block SQL-injection patterns against wpDataTables endpoints, isolating the WordPress database instance behind a network policy that restricts direct external access, and reviewing database user privileges to enforce least-privilege access for the WordPress database account.
- wpDataTables / wpDataTables≤ 7.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L