Platform
wordpress
Component
ninja-tables
Fixed in
5.0.19
CVE-2025-2940 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Ninja Tables – Easy Data Table Builder plugin for WordPress. This flaw allows unauthenticated attackers to initiate web requests to arbitrary locations, potentially exposing sensitive internal resources. The vulnerability impacts versions 0.0.0 through 5.0.18, and a patch is available in version 5.0.19.
The SSRF vulnerability in Ninja Tables allows an attacker to craft malicious requests through the args[url] parameter. Successful exploitation enables an attacker to query and potentially modify data from internal services that the WordPress instance can access. This could include accessing administrative panels, databases, or other sensitive resources behind the firewall. The lack of authentication required significantly broadens the attack surface, as any external user can trigger the vulnerability. While direct data exfiltration might be challenging without further vulnerabilities, the ability to probe internal services and potentially discover other weaknesses represents a significant risk.
CVE-2025-2940 was publicly disclosed on 2025-06-27. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.2 (HIGH) reflects the potential impact of SSRF vulnerabilities, particularly in environments with sensitive internal services.
Exploit Status
EPSS
0.24% (47% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2940 is to immediately upgrade the Ninja Tables plugin to version 5.0.19 or later. If upgrading is not immediately feasible due to compatibility concerns or testing requirements, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious URLs in the args[url] parameter. Specifically, look for patterns indicative of internal network addresses or sensitive service endpoints. Additionally, restrict the plugin's access to internal resources by implementing network segmentation and access control lists (ACLs). After upgrading, verify the fix by attempting to trigger the SSRF vulnerability with a known malicious URL and confirming that the request is blocked or handled safely.
Update the Ninja Tables plugin to version 5.0.19 or higher to mitigate the Server-Side Request Forgery vulnerability. This update corrects how the plugin handles web requests, preventing unauthenticated attackers from making requests to arbitrary locations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2940 is a Server-Side Request Forgery vulnerability affecting Ninja Tables versions 0.0.0–5.0.18, allowing attackers to make arbitrary web requests.
You are affected if you are using Ninja Tables versions 0.0.0 through 5.0.18 on your WordPress website.
Upgrade the Ninja Tables plugin to version 5.0.19 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround.
As of now, there is no evidence of active exploitation campaigns targeting CVE-2025-2940.
Refer to the official Ninja Tables website and WordPress plugin repository for updates and advisories related to CVE-2025-2940.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.