CVE-2025-2939
📋 TL;DR
The Ninja Tables WordPress plugin is vulnerable to PHP object injection via deserialization of untrusted input in the args[callback] parameter. This allows unauthenticated attackers to execute arbitrary PHP functions, though without user-supplied parameters. All WordPress sites using Ninja Tables versions up to 5.0.18 are affected.
💻 Affected Systems
- Ninja Tables – Easy Data Table Builder WordPress plugin
📦 What is this software?
Ninja Tables by Wpmanageninja
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary PHP functions leading to remote code execution, data manipulation, or site takeover if vulnerable POP chains exist.
Likely Case
Limited function execution without parameters, potentially causing denial of service, information disclosure, or limited code execution.
If Mitigated
With proper input validation and security controls, exploitation would be prevented or limited to minimal impact.
🎯 Exploit Status
Exploitation requires crafting malicious serialized objects but is straightforward for attackers with knowledge of available POP chains.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.19
Vendor Advisory: https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.19
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Ninja Tables and click 'Update Now'. 4. Verify version is 5.0.19 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable Ninja Tables plugin until patched
wp plugin deactivate ninja-tables
Web Application Firewall rule
allBlock requests containing suspicious serialized data in args[callback] parameter
🧯 If You Can't Patch
- Implement strict input validation to reject serialized objects in callback parameters
- Deploy web application firewall with rules to detect and block PHP object injection attempts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Ninja Tables version. If version is 5.0.18 or lower, you are vulnerable.Check Version:
wp plugin get ninja-tables --field=versionVerify Fix Applied:
After updating, confirm Ninja Tables version is 5.0.19 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress endpoints with args[callback] parameter containing serialized data
- PHP errors related to unserialize() or unexpected object instantiation
Network Indicators:
- HTTP requests with serialized PHP objects in parameters
- Unusual traffic patterns to WordPress admin-ajax.php or similar endpoints
SIEM Query:
source="wordpress" AND (url="*args[callback]*" OR message="*unserialize*" OR message="*__destruct*")🔗 References
- https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.18/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399
- https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.19/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399
- https://plugins.trac.wordpress.org/browser/ninja-tables/trunk/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8e38553d-5dba-4c84-95f7-43420245c770?source=cve
