CVE-2025-2939

Name of the Vulnerable Software and Affected Versions The Ninja Tables – Easy Data Table Builder plugin for WordPress versions up to, and including, 5.0.18

Description The issue is related to PHP Object Injection via deserialization of untrusted input from the args[callback] parameter. This allows unauthenticated attackers to inject a PHP Object. The presence of a POP chain enables attackers to execute arbitrary functions, though the impact is limited as only single functions can be called without user-supplied parameters.

Recommendations For versions up to, and including, 5.0.18, update to a version later than 5.0.18 to resolve the issue. As a temporary workaround, consider restricting access to the args[callback] parameter to minimize the risk of exploitation.