Medium severity4.7NVD Advisory· Published May 23, 2024· Updated Apr 15, 2026

CVE-2024-4895

Description

The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the CSV import functionality in all versions up to, and including, 3.4.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in wpDataTables plugin (<=3.4.2.12) allows unauthenticated attackers to inject arbitrary scripts via CSV import.

Vulnerability

The wpDataTables plugin for WordPress versions up to and including 3.4.2.12 is vulnerable to Stored Cross-Site Scripting (XSS) via the CSV import functionality. This is due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by crafting a malicious CSV file containing XSS payloads and importing it through the plugin's CSV import feature. The injected script is stored and executed whenever a user accesses the affected page, such as a table rendered by the plugin [1].

Impact

Successful exploitation allows arbitrary JavaScript execution in the context of the victim's browser. This can lead to session hijacking, website defacement, or theft of sensitive information. The attack requires no authentication and affects any page displaying the imported table [1].

Mitigation

The vulnerability is fixed in version 3.4.2.13 and later versions. Users are strongly advised to update to the latest version (6.5.0.7 as of the reference) to mitigate the risk. No workarounds are documented, and the CVE is not currently listed in the CISA KEV catalog [1].

References

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/Wpdatatablesreferences
Package: https://wordpress.org/plugins/wpdatatables
Wpdatatables/Wpdatatablesllm-fuzzy
Range: <=3.4.2.12

Patches

r3089897

https://plugins.svn.wordpress.orgvia nvd-ref

commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.306
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000