External risk intelligence

Unauthenticated SQL Injection in wpDataTables Plugin Versions <= 7.3.6

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-49080

A critical SQL injection vulnerability exists in the wpDataTables WordPress plugin, allowing unauthenticated attackers to potentially access sensitive database information. This issue is network-exposed and does not require user interaction for exploitation. The primary concern is confirming the plugin's presence and r

SQL Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

This vulnerability affects a WordPress plugin, which is a type of web application component commonly deployed as a public-facing website. Such plugins are routinely accessible over the internet as part of the standard web server environment, making the vulnerable code path reachable by external users.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical security vulnerability impacting a WordPress plugin that allows for data table creation and display. The issue, an unauthenticated SQL injection, could potentially expose sensitive data if exploited. The primary concern is confirming the relevance and exposure of this plugin within our environment.

  • Unauthenticated SQL injection in a data table plugin.
  • Critical impact if exploited, exposing sensitive data.
  • Confirm relevance and exposure to prioritize response.

Attack Path

How an attacker could exploit the issue

An attacker can remotely target this vulnerability because it is exposed via the network and requires no prior authentication or user interaction. The vulnerability lies within the wpDataTables plugin, where unvalidated user input is used in SQL queries. Successful exploitation could lead to unauthorized access to database information and potential disruption of database operations.

  • Network exposure, no authentication needed.
  • SQL query processing.
  • Unauthorized database access and disruption.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could expose a WordPress site's database to unauthenticated attackers. When the wpDataTables plugin is used in a way that does not properly sanitize user input, an attacker could inject malicious SQL commands. This could potentially lead to unauthorized access or modification of sensitive data stored in the site's database, depending on how the plugin is configured and what data it accesses.

  • Site database.
  • Unsanitized input to SQL queries.
  • Unauthorized database access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

The presence of an unauthenticated SQL injection vulnerability in wpDataTables necessitates immediate attention from teams responsible for web application security and platform management. The first practical step is to identify all instances of this plugin across your web infrastructure, determine their reachability and criticality to business operations, and confirm the accountable application or platform owner. Subsequently, a risk-based remediation plan, considering the critical nature of the vulnerability, should be developed and executed, potentially involving vendor coordination.

  • Application owners must lead remediation efforts.
  • Verify plugin presence and external reachability.
  • Plan coordinated vendor engagement for fixes.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-49080 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This unauthenticated SQL injection vulnerability in wpDataTables could lead to a PCI ASV scan failure, requiring remediation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the wpDataTables plugin?

wpDataTables is a WordPress plugin designed to help users create, manage, and display data tables and charts on websites. It acts as a bridge between a database and the front-end interface, allowing administrators to present complex information—like financial reports or inventory lists—to site visitors.

What does SQL injection mean for CVE-2026-49080?

This vulnerability is classified as CWE-89, which occurs when software fails to properly filter user input before including it in a database query. In this specific case, the plugin does not sanitize information, allowing an attacker to manipulate the underlying SQL commands to view or interact with database information that should remain private.

Do I need to be logged in for this bug to be triggered?

No. The vulnerability is unauthenticated, meaning an attacker does not need an account or special permissions on your WordPress site to attempt an exploit. It is triggered through network requests sent directly to the plugin, and simply browsing the site normally does not trigger the bug.

Is my site at risk?

Halo Surface Signal notes that since wpDataTables is a web component, it is commonly deployed on public-facing websites. If your instance is accessible over the internet, it is reachable by external actors. You should assume that any site running an affected version is potentially exposed to this network-based threat.

How should I respond to this vulnerability?

Start by auditing your infrastructure to locate all instances of the wpDataTables plugin. Confirm which sites are active and identify the owners responsible for them. Once identified, evaluate the criticality of those sites and prepare a plan to update or restrict the plugin while coordinating with the vendor for a permanent fix.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished