PHP Object Injection in Ninja Tables Plugin by WordPress
CVE-2025-2939

5.6MEDIUM

Key Information:

Vendor: WordPress
Status: Ninja Tables – Easy Data Table Builder
Vendor: CVE Published:; 3 June 2025

What is CVE-2025-2939?

The Ninja Tables plugin for WordPress is susceptible to PHP Object Injection due to improper deserialization of untrusted input from the args[callback] parameter. This vulnerability affects all versions up to and including 5.0.18. It enables unauthenticated attackers to inject a PHP Object, potentially executing arbitrary functions. However, the attack is somewhat constrained as it allows only single function calls without user-supplied parameters, limiting the potential impact.

Affected Version(s)

Ninja Tables – Easy Data Table Builder * <= 5.0.18

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ninja-tables/t...

CVSS V3.1

Score:

5.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2025
Vulnerability Reserved
Mar 28, 2025

Credit

Trương Hữu Phúc (truonghuuphuc)