CVE-2021-24199 in wpDataTables
Summary
by MITRE • 04/12/2021
The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/15/2021
The wpDataTables plugin represents a popular WordPress solution for creating interactive tables and charts, with the premium version offering enhanced functionality for data visualization. This particular vulnerability affects versions prior to 3.4.2, indicating a security regression that was introduced in the plugin's development lifecycle. The flaw manifests within the administrative AJAX endpoint that handles table data retrieval, specifically when processing table lists through the wp-admin/admin-ajax.php interface. The vulnerability's impact extends beyond simple data exposure as it provides attackers with complete database access, potentially enabling full compromise of the WordPress application environment.
The technical exploitation of this vulnerability occurs through a Boolean-based blind SQL injection attack that targets the 'start' parameter within the HTTP POST request to the designated endpoint. This parameter processing flaw allows an attacker to craft malicious input that manipulates the underlying database query structure without direct error feedback. The attack vector specifically targets authenticated users with low privilege levels, meaning that any user with basic WordPress access could potentially exploit this weakness. The Boolean-based nature of the injection means that attackers must infer database contents through response timing or logical outcomes rather than direct data retrieval, making the attack more subtle but no less dangerous.
The operational impact of this vulnerability is severe as it provides attackers with complete database access to WordPress and potentially all associated data within the wpDataTables plugin's scope. This access includes but is not limited to user credentials, post content, configuration settings, and potentially other WordPress database entries. The vulnerability essentially allows for a complete takeover of the WordPress application's data layer, enabling attackers to modify content, escalate privileges, or extract sensitive information. The low privilege requirement means that attackers need minimal access to the WordPress environment to exploit this flaw, making it particularly concerning for sites with numerous users or less stringent access controls.
Security mitigations for this vulnerability should focus on immediate plugin updates to version 3.4.2 or later, which contain the necessary patches to prevent the SQL injection attack. Additionally, implementing proper input validation and sanitization for all user-supplied data within the plugin's AJAX endpoints is crucial. Network-level protections such as web application firewalls can provide additional defense-in-depth measures, though they should not replace proper code-level fixes. The vulnerability aligns with CWE-89 which specifically addresses SQL injection flaws, and represents a clear violation of secure coding practices that should be enforced through proper input validation and parameterized queries. From an ATT&CK perspective, this vulnerability maps to T1190 - Exploit Public-Facing Application and T1078 - Valid Accounts, as it allows attackers to leverage existing user credentials to gain elevated access to database resources. Organizations should also implement monitoring for unusual AJAX endpoint activity and consider restricting administrative access to reduce the attack surface for such vulnerabilities.