CVE-2014-9175 in wpdatatables
Summary
by MITRE
SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/30/2025
The vulnerability identified as CVE-2014-9175 represents a critical SQL injection flaw within the wpDataTables WordPress plugin version 1.5.3 and earlier. This vulnerability exists in the wpdatatables.php file and specifically affects the table_id parameter handling within the get_wdtable action. The flaw allows remote attackers to execute arbitrary SQL commands by manipulating the table_id parameter through the wp-admin/admin-ajax.php endpoint, which serves as a critical administrative interface for WordPress AJAX operations.
The technical nature of this vulnerability aligns with CWE-89, which defines SQL injection as the insertion of malicious SQL code into input fields for execution by the database. The vulnerability occurs because the wpDataTables plugin fails to properly sanitize or validate the table_id parameter before incorporating it into SQL queries. When an attacker submits a malicious table_id value, the plugin directly concatenates this input into database queries without adequate escaping or parameterization, creating an exploitable condition that enables full database manipulation.
Operationally, this vulnerability presents a severe risk to WordPress installations using the affected wpDataTables plugin. Attackers can leverage this flaw to extract sensitive data from the database, including user credentials, personal information, and administrative details. The remote execution capability means attackers do not require local access or authentication to exploit the vulnerability, making it particularly dangerous for publicly accessible websites. Additionally, the vulnerability could enable attackers to modify or delete database records, potentially leading to complete system compromise and data loss.
The impact extends beyond simple data theft as this vulnerability can facilitate further attacks within the compromised WordPress environment. Once an attacker gains database access through SQL injection, they can manipulate the WordPress database structure, modify user roles, inject malicious code into the WordPress installation, or even establish persistent backdoors. The vulnerability affects the core administrative AJAX functionality, which means that attackers can potentially exploit this to escalate privileges or gain unauthorized access to administrative panels. Organizations should consider this vulnerability as part of a broader attack surface that could lead to complete system compromise and data breaches.
Mitigation strategies for CVE-2014-9175 include immediate patching of the wpDataTables plugin to version 1.5.4 or later, which contains the necessary security fixes. Administrators should also implement proper input validation and output escaping mechanisms for all database interactions. The use of web application firewalls and database query monitoring can help detect and prevent exploitation attempts. Additionally, regular security audits of WordPress plugins and themes should be conducted to identify and remediate similar vulnerabilities. Organizations should follow ATT&CK framework guidance for defensive measures against SQL injection attacks, particularly focusing on techniques that prevent unauthorized database access and maintain proper input sanitization practices.