CVE-2024-3820 (CVSS 10) in wpDataTables Puts 70,000 WordPress Sites at Risk

A critical security vulnerability has been discovered in wpDataTables, a widely-used WordPress plugin for creating tables and charts. The flaw, tracked as CVE-2024-3820 and rated with a maximum severity score of 10 (CVSS 10), could allow attackers to inject malicious SQL code and potentially gain unauthorized access to sensitive data within WordPress sites using the premium version of the plugin.

The vulnerability stems from insufficient input validation and improper sanitization of user-supplied data within the ‘id_key’ parameter of the wdt_delete_table_row AJAX action. This oversight enables attackers to craft malicious SQL queries, effectively bypassing security measures and extracting or manipulating data from the underlying database.

The impact of this vulnerability is significant, given the widespread adoption of wpDataTables. With over 70,000 installations, the plugin is trusted by a vast number of businesses and individuals to manage financial, scientific, statistical, and other sensitive information. Successful exploitation of this flaw could result in:

• Data breaches: Attackers could steal confidential data stored within wpDataTables, potentially exposing customer information, proprietary data, or financial records.
• Website defacement: Malicious actors could manipulate website content or redirect visitors to harmful websites.
• Account takeover: If the database contains user credentials, attackers could gain unauthorized access to WordPress accounts and potentially take control of websites.

The issue was discovered by security researcher villu164, who has been credited for identifying this critical flaw. According to villu164, the vulnerability stems from a lack of proper input sanitization and parameter binding in the SQL queries within the plugin, making it susceptible to SQL injection attacks.

The CVE-2024-3820 vulnerability affects all versions of wpDataTables up to and including 6.3.1. The plugin’s developers have released a patched version, 6.3.2, urging users to update immediately.