{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69351", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:28.143Z", "datePublished": "2026-01-06T16:36:40.416Z", "dateUpdated": "2026-04-28T16:14:38.741Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ninja-tables", "product": "Ninja Tables", "vendor": "Shahjahan Jewel", "versions": [{"changes": [{"at": "5.2.5", "status": "unaffected"}], "lessThanOrEqual": "5.2.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:22:13.284Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.<p>This issue affects Ninja Tables: from n/a through <= 5.2.4.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:38.741Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ninja-tables/vulnerability/wordpress-ninja-tables-plugin-5-2-4-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Ninja Tables plugin <= 5.2.4 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T19:53:24.002731Z", "id": "CVE-2025-69351", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:56:46.991Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69351", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T19:53:24.002731Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T19:54:00.060Z"}}], "cna": {"title": "WordPress Ninja Tables plugin <= 5.2.4 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Shahjahan Jewel", "product": "Ninja Tables", "versions": [{"status": "affected", "changes": [{"at": "5.2.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.2.4"}], "packageName": "ninja-tables", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:22:13.284Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ninja-tables/vulnerability/wordpress-ninja-tables-plugin-5-2-4-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.<p>This issue affects Ninja Tables: from n/a through <= 5.2.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:01.463Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69351", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:28:13.800Z", "dateReserved": "2025-12-31T20:12:28.143Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-06T16:36:40.416Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4."}], "id": "CVE-2025-69351", "lastModified": "2026-04-27T19:16:41.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-06T17:15:47.587", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ninja-tables/vulnerability/wordpress-ninja-tables-plugin-5-2-4-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:04:20.334183+00:00", "value": {"mitigation_remediation": ["Upgrade the Ninja Tables plugin to the latest version (5.2.5 or newer) to remove the insecure input handling.", "If an upgrade is not immediately possible, limit access to the plugin\u2019s data entry interfaces using role\u2011based permissions or a web application firewall to block suspicious input patterns.", "Monitor database logs for unusual query activity that may indicate attempted injection and enforce strict input validation and parameterized queries in custom code."], "summary": {"action": "Apply Patch", "impact": "Data Exposure through Blind SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is the Ninja Tables plugin by Shahjahan Jewel for WordPress sites. Versions from the first available release up to and including 5.2.4 are vulnerable. The issue is present regardless of the WordPress core version, as it originates in the plugin\u2019s PHP code that builds SQL queries.", "description_and_impact": "The vulnerability is an improper neutralization of special elements used in an SQL command, allowing blind SQL injection within the Ninja Tables plugin. An attacker can craft inputs that bypass the plugin\u2019s filtering and execute arbitrary SQL statements against the WordPress database. This enables the extraction of sensitive data, modification of records, or potential escalation to full site compromise if the extracted data includes authentication or configuration values. The weakness is classified as CWE-89.", "risk_and_exploitability": "The CVSS score of 8.5 indicates a high impact, while the EPSS score of less than 1% indicates a very low likelihood that this vulnerability is actively exploited in the wild. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited exploitation. Based on the description, the likely attack vector involves submitting specially crafted input via a form or URL that the plugin processes, and the attacker would need network access to the WordPress site. Because the SQL injection is blind, the attacker does not need to see error messages or query results; they can infer information through time delays or other side channels."}}}}, "created": "2026-01-07T10:09:01.513752+00:00", "updated": "2026-04-28T10:15:28.847226+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}