CVE-2026-5721: wpDataTables WordPress Plugin XSS Vulnerability

CVE-2026-5721 Overview

CVE-2026-5721 is a Stored Cross-Site Scripting (XSS) vulnerability in the wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin for WordPress. The flaw affects all plugin versions up to and including 6.5.0.4. The vulnerability resides in the prepareCellOutput() method of the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts. Exploitation requires tricking an administrator into importing data from an attacker-controlled source while affected column types (Link, Image, or Email) are configured. Injected scripts execute in the browser of any user visiting an affected page.

Critical Impact

Unauthenticated attackers can inject persistent JavaScript into WordPress pages, enabling session hijacking, credential theft, and administrative actions when a site administrator imports attacker-controlled data.

Affected Products

• wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin for WordPress
• All versions up to and including 6.5.0.4
• WordPress sites with Link, Image, or Email column types configured

Discovery Timeline

• 2026-04-20 - CVE-2026-5721 published to the National Vulnerability Database (NVD)
• 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-5721

Vulnerability Analysis

The vulnerability is classified as Stored Cross-Site Scripting under CWE-79. The wpDataTables plugin renders user-supplied data through specialized column classes that format cell output for display. The prepareCellOutput() method in the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes fails to properly sanitize input and escape output. When an administrator imports data from an external source, the plugin stores the malicious payload. Each subsequent page view triggers script execution in the visitor's browser. The attack chain depends on social engineering an administrator to import data from an attacker-controlled location.

Root Cause

The root cause is missing input sanitization combined with absent output escaping in three column-type handler classes. WordPress provides functions such as esc_url(), esc_attr(), and esc_html() for safe rendering, but the affected prepareCellOutput() implementations do not apply them consistently. Imported field values containing HTML or JavaScript pass through to the page output verbatim.

Attack Vector

An attacker hosts a malicious data source containing crafted Link, Image, or Email column values with embedded JavaScript payloads. The attacker convinces a WordPress administrator to import this data into a wpDataTables table. Once imported, the payload is stored in the database. When any user, including unauthenticated visitors, loads the page containing the table, the script executes in their browser context. The vendor patched the issue in WordPress plugin changeset 3510613.

No public proof-of-concept code is referenced in the advisory. Technical details are described in the Wordfence Vulnerability Intelligence entry.

Detection Methods for CVE-2026-5721

Indicators of Compromise

• Unexpected <script> tags or JavaScript event handlers in wpDataTables table cells, particularly within Link, Image, or Email columns
• Database entries in wpDataTables tables containing javascript: URIs or HTML markup in Link, Image, or Email fields
• Recent administrator-initiated imports from external or unverified URLs in plugin activity logs
• Outbound browser requests from site visitors to unfamiliar domains following table page loads

Detection Strategies

• Audit the wpDataTables database tables for stored values containing HTML tags, on* event handlers, or javascript: schemes in Link, Image, and Email columns
• Review WordPress audit logs for recent data import operations performed by administrators against the plugin
• Inspect rendered pages containing wpDataTables tables using browser developer tools to identify unsanitized markup in cell output

Monitoring Recommendations

• Enable WordPress activity logging plugins to track administrator import actions and data source URLs
• Deploy Content Security Policy (CSP) headers and monitor CSP violation reports for inline script execution attempts
• Monitor web server access logs for suspicious referrer patterns or anomalous outbound requests from administrator browsers

How to Mitigate CVE-2026-5721

Immediate Actions Required

• Update the wpDataTables plugin to a version newer than 6.5.0.4 that contains the fix from changeset 3510613
• Audit existing wpDataTables tables for malicious payloads in Link, Image, and Email column cells and purge any tainted rows
• Restrict plugin import permissions to a minimal set of trusted administrator accounts
• Train administrators to verify the integrity and source of any external data files before importing

Patch Information

The vendor addressed the vulnerability in WordPress plugin changeset 3510613. The fix adds proper input sanitization and output escaping to the prepareCellOutput() method in the LinkWDTColumn, ImageWDTColumn, and EmailWDTColumn classes. Site operators should upgrade to the patched release immediately.

Workarounds

• Avoid configuring Link, Image, or Email column types in wpDataTables until the plugin is patched
• Disable the wpDataTables data import functionality if it is not actively required
• Deploy a Web Application Firewall (WAF) rule that strips HTML and JavaScript from incoming wpDataTables import payloads
• Enforce a strict Content Security Policy that blocks inline JavaScript execution on pages rendering wpDataTables tables

# Content Security Policy header example for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';" always;