Vulnerability Description
The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary functions, though it does not allow user supplied parameters only single functions can be called so the impact is limited.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wpmanageninja | Ninja Tables | < 5.0.19 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.18/vendor/wpfluProduct
- https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.19/vendor/wpfluProduct
- https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/vendor/wpfluent/frProduct
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8e38553d-5dba-4c84-95fThird Party Advisory
FAQ
What is CVE-2025-2939?
CVE-2025-2939 is a vulnerability with a CVSS score of 5.6 (MEDIUM). The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[...
How severe is CVE-2025-2939?
CVE-2025-2939 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-2939?
Check the references section above for vendor advisories and patch information. Affected products include: Wpmanageninja Ninja Tables.