CVE-2024-7304 in Ninja Tables Plugin
Summary
by MITRE • 08/27/2024
The Ninja Tables – Easiest Data Table Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 5.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/12/2025
The vulnerability identified as CVE-2024-7304 affects the Ninja Tables WordPress plugin, specifically targeting versions up to and including 5.0.12. This represents a critical security flaw that exploits the plugin's handling of SVG file uploads, creating a pathway for persistent cross-site scripting attacks. The vulnerability is particularly concerning because it requires only Author-level privileges or higher, making it accessible to users who should normally have restricted capabilities within the WordPress ecosystem. The flaw stems from inadequate input sanitization and insufficient output escaping mechanisms within the plugin's file upload processing functionality.
The technical implementation of this vulnerability allows authenticated attackers to upload malicious SVG files that contain embedded JavaScript code or other malicious scripts. When these SVG files are accessed by other users, the stored scripts execute within the context of the victim's browser session, effectively enabling the attacker to perform actions on behalf of legitimate users. This type of vulnerability falls under CWE-79 which specifically addresses Cross-Site Scripting flaws, and more precisely maps to CWE-116 which deals with improper encoding or escaping of output. The vulnerability's persistence is characteristic of stored XSS attacks, where malicious code is permanently stored on the target server and executed whenever the compromised page is accessed.
The operational impact of CVE-2024-7304 extends beyond simple script execution, as it can enable attackers to perform various malicious activities including but not limited to session hijacking, data theft, privilege escalation, and redirection to malicious websites. Since the vulnerability affects SVG file handling, attackers can leverage the rich functionality of SVG files to embed complex malicious payloads that may bypass traditional security measures. The attack vector is particularly dangerous because SVG files are often trusted by browsers and web applications, making the exploitation more likely to succeed without immediate detection. This vulnerability directly aligns with ATT&CK technique T1566.001 which covers Phishing with malicious attachments, and T1059.007 which involves scripting through command-line interpreters, as attackers can use the compromised environment to execute additional malicious code.
Organizations using the affected Ninja Tables plugin should immediately implement multiple layers of mitigation strategies to address this vulnerability. The most immediate and effective solution involves updating to the latest version of the plugin where the XSS vulnerability has been patched. System administrators should also implement strict file upload validation controls that sanitize all uploaded files, particularly focusing on SVG content validation to prevent malicious code insertion. Network monitoring solutions should be configured to detect suspicious file upload patterns and anomalous access to SVG files within the WordPress environment. Additionally, implementing content security policies and regular security audits of WordPress installations can help identify and remediate similar vulnerabilities before they can be exploited. The vulnerability demonstrates the critical importance of proper input validation and output escaping in web applications, particularly when handling user-supplied content that may contain executable code elements.