CVE-2026-2306
Unauthorized Database Table Creation in Ninja Tables WordPress Plugin
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wpmet | ninja_tables | to 5.2.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Ninja Tables β Easy Data Table Builder plugin for WordPress has a vulnerability due to missing authorization checks in the function called createFluentCartTable. This flaw exists in all versions up to and including 5.2.6.
Because of this, any authenticated user with Subscriber-level access or higher can create arbitrary database tables within Ninja Tables without proper permission.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can create unauthorized database tables, which can lead to database pollution.
This pollution can cause resource exhaustion, potentially degrading the performance or stability of the WordPress site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Subscriber-level access and above to create arbitrary database tables, leading to database pollution and resource exhaustion.
However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.