CVE-2021-24199

CVE-2021-24199: wpDataTables < 3.4.2 - Blind SQL Injection via start Parameter

Vendor Wpdatatables

Product wpDataTables – Tables & Table Charts

Weakness CWE-89 · SQLi

Published April 12, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

The wpDataTables – Tables & Table Charts premium WordPress plugin before 3.4.2 allows a low privilege authenticated user to perform Boolean-based blind SQL Injection in the table list page on the endpoint /wp-admin/admin-ajax.php?action=get_wdtable&table_id=1, on the 'start' HTTP POST parameter. This allows an attacker to access all the data in the database and obtain access to the WordPress application.

Key dates

02Disclosure timeline

April 12, 2021 CVE published

August 3, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2021-24199

Related vulnerabilities

04Related CVE

CVE-2024-10300 PHPGurukul Medical Card Generation System View Enquiry Page view-enquiry.php sql injection CVE-2026-10227 raisulislamg4 student_management_system_by_php User Creation add_user_check.php sql injection CVE-2026-12789 ILIAS Learning Management System Learning Progress Tracking class.ilTrQuery.php executeQueries sql injection CVE-2024-49666 WordPress ARPrice plugin <= 4.1.3 - SQL Injection vulnerability CVE-2025-50192 Chamilo: Time-based SQL Injection in /main/webservices/registration.soap.php