CVE-2024-4895 in wpDataTables Plugininfo

Summary

by MITRE • 05/23/2024

The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in all versions up to, and including, 3.4.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 03/28/2025

The wpDataTables plugin for WordPress represents a widely used tool for creating dynamic data tables and charts within wordpress environments, making it an attractive target for malicious actors seeking to exploit vulnerabilities within content management systems. This particular vulnerability affects all versions up to and including 3.4.2.12, indicating a prolonged period during which the flaw remained unaddressed. The vulnerability stems from inadequate input sanitization and output escaping mechanisms specifically within the CSV import functionality, creating a persistent security gap that allows attackers to inject malicious scripts into the system.

The technical nature of this stored cross-site scripting vulnerability operates through the CSV import feature where attackers can upload specially crafted CSV files containing malicious javascript code. When these files are processed by the plugin, the input validation fails to properly sanitize the data, allowing script tags and other malicious elements to be stored within the database. The output escaping mechanism also proves insufficient, meaning that when legitimate users access pages containing this injected content, the stored scripts execute in their browsers without proper context or security restrictions. This creates a persistent threat where any user who accesses affected pages becomes a potential victim of the stored XSS attack.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform various malicious activities including session hijacking, credential theft, and redirection to phishing sites. Since the vulnerability affects unauthenticated attackers, no prior access credentials are required to exploit the flaw, making it particularly dangerous for wordpress installations that rely on this plugin. The stored nature of the vulnerability means that once injected, the malicious scripts remain persistent until manually removed from the system, potentially affecting all users who encounter the compromised content.

This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and represents a classic example of inadequate input validation and output escaping patterns. From an att&ck framework perspective, this vulnerability maps to techniques involving code injection and persistence mechanisms, allowing attackers to establish long-term access to compromised wordpress environments. The impact is particularly severe given that wordpress plugins often have elevated privileges within the system, potentially providing attackers with additional attack surface areas beyond simple script execution. Security professionals should prioritize immediate remediation through plugin updates while implementing additional monitoring for suspicious file uploads and user activities related to table creation and data import functions.

Mitigation strategies should include immediate plugin version updates to the latest secure release, implementation of web application firewalls with XSS detection capabilities, and regular security auditing of uploaded files and database content. Organizations should also consider implementing principle of least privilege access controls for users who can upload CSV files or modify table configurations, while establishing automated monitoring systems that can detect anomalous script injection patterns within the wordpress environment. The vulnerability demonstrates the critical importance of proper input sanitization and output escaping in web applications, particularly those handling user-provided data through import functions.

Reservation

05/15/2024

Disclosure

05/23/2024

Moderation

accepted

CPE

ready

EPSS

0.00374

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!