CVE-2026-49080 TMS CVE debrief

Who should care

Administrators and users of WordPress installations with the wpDataTables plugin version 7.3.6 or earlier should be concerned about this vulnerability. Due to its critical nature and potential for exploitation, immediate action is recommended to secure affected installations.

Technical summary

CVE-2026-49080 is an unauthenticated SQL injection vulnerability in the wpDataTables plugin for WordPress. The vulnerability has been assigned a CVSS score of 9.3, indicating critical severity. It allows attackers to inject malicious SQL code without authentication, potentially leading to unauthorized data access. The vulnerability affects wpDataTables versions up to and including 7.3.6. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L.

Defensive priority

high

Recommended defensive actions

• Update wpDataTables to a version greater than 7.3.6 immediately.
• If immediate update is not possible, consider temporarily disabling the wpDataTables plugin until a secure version can be installed.
• Monitor WordPress installation logs for suspicious activity.
• Implement a Web Application Firewall (WAF) to detect and block SQL injection attempts.
• Regularly review and update all plugins and themes on the WordPress installation.
• Consider implementing additional security measures such as two-factor authentication and regular backups.

Evidence notes

The information provided is based on data from official sources, including the CVE.org and NVD. The CVE record and NVD detail pages provide comprehensive information about the vulnerability. Additional details are available from Patchstack, which reported the vulnerability.

Official resources