WP-Safety

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards Security & Risk Analysis

wordpress.org/plugins/wp-data-access

Turn your data into WordPress apps with tables, forms, charts & maps — no code required, with optional hooks for developers. Supports 35+ languages.

10K active installs v5.5.71 PHP 7.0+ WP + Updated Apr 16, 2026
app-builderdashboardsdata-tableform-buildertable-builder
89
A · Safe
CVEs total7
Unpatched0
Last CVEMay 9, 2026
Plugin page Download
Safety Verdict

Is WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards Safe to Use in 2026?

Generally Safe

Score 89/100

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

7 known CVEsLast CVE: May 9, 2026Updated 1mo ago
Risk Assessment

The wp-data-access plugin v5.5.69 presents a mixed security posture. While it demonstrates some good practices, such as a high percentage of prepared SQL statements and a substantial number of nonce and capability checks, significant concerns remain. The analysis reveals a large attack surface with 21 unprotected AJAX handlers, which is a primary point of vulnerability. Furthermore, the taint analysis indicates 16 flows with unsanitized paths, including 3 identified as high severity, suggesting potential for various attacks if these flows are reachable and exploitable through the unprotected entry points.

The plugin's vulnerability history is a notable weakness. It has a total of 6 known CVEs, with 3 high and 3 medium severity vulnerabilities remaining unpatched. The common types of past vulnerabilities, including XSS, CSRF, Incorrect Privilege Assignment, and SQL Injection, directly correlate with the risks identified in the static and taint analysis. This historical pattern strongly suggests recurring issues with input validation and permission handling. Despite strengths in prepared SQL and output escaping, the numerous unprotected AJAX endpoints and the history of severe vulnerabilities necessitate a cautious approach.

Key Concerns

  • 21 unprotected AJAX handlers
  • 3 high severity taint flows
  • 3 high severity unpatched CVEs
  • 3 medium severity unpatched CVEs
  • 16 flows with unsanitized paths
  • Bundled outdated Freemius v1.0
Vulnerabilities
7 published

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
4
Medium
3

7 total CVEs

CVE-2026-42665high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards <= 5.5.70 - Unauthenticated SQL Injection

May 9, 2026 Patched in 5.5.71 (3d)
CVE-2026-0557medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Data Access <= 5.5.63 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpda_app' Shortcode

Feb 13, 2026 Patched in 5.5.64 (1d)
CVE-2025-39582medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Data Access <= 5.5.36 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 16, 2025 Patched in 5.5.37 (7d)
CVE-2024-12428high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Data Access – App, Table, Form and Chart Builder plugin <= 5.5.22 - Unauthenticated SQL Injection

Dec 24, 2024 Patched in 5.5.23 (1d)
CVE-2024-43295medium · 4.3Cross-Site Request Forgery (CSRF)

WP Data Access <= 5.5.7 - Cross-Site Request Forgery

Aug 16, 2024 Patched in 5.5.9 (4d)
CVE-2023-1874high · 7.5Incorrect Privilege Assignment

WP Data Access <= 5.3.7 - Authenticated (Subscriber+) Privilege Escalation

Apr 6, 2023 Patched in 5.3.8 (292d)
CVE-2021-24866high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Data Access <= 4.3.1 - Admin+ SQL Injection

Nov 8, 2021 Patched in 5.0.0 (806d)
Version History

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards Release Timeline

v5.5.71Current
v5.5.701 CVE
CVE-2026-42665
v5.5.691 CVE
CVE-2026-42665
v5.5.681 CVE
CVE-2026-42665
v5.5.661 CVE
CVE-2026-42665
v5.5.651 CVE
CVE-2026-42665
v5.5.641 CVE
CVE-2026-42665
v5.5.632 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.622 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.612 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.602 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.572 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.552 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.512 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.492 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.452 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.432 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.422 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.412 CVEs
CVE-2026-0557 CVE-2026-42665
v5.5.402 CVEs
CVE-2026-0557 CVE-2026-42665
Code Analysis
Analyzed Mar 16, 2026

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards Code Analysis

Dangerous Functions
0
Raw SQL Queries
34
410 prepared
Unescaped Output
923
3340 escaped
Nonce Checks
76
Capability Checks
7
File Operations
40
External Requests
5
Bundled Libraries
2

Bundled Libraries

DataTablesFreemius1.0

SQL Query Safety

92% prepared444 total queries

Output Escaping

78% escaped4263 total outputs
Data Flows · Security
16 unsanitized

Data Flow Analysis

25 flows16 with unsanitized paths
create_export (WPDataAccess\Backup\WPDA_Data_Export.php:56)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
21 unprotected

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards Attack Surface

Entry Points27
Unprotected21

AJAX Handlers 21

authwp_ajax_wpda_save_dashboardincludes\class-wp-data-access.php:228
authwp_ajax_wpda_dashboard_listincludes\class-wp-data-access.php:229
authwp_ajax_wpda_widget_load_panelincludes\class-wp-data-access.php:230
authwp_ajax_wpda_widget_deleteincludes\class-wp-data-access.php:231
authwp_ajax_wpda_widget_code_addincludes\class-wp-data-access.php:232
authwp_ajax_wpda_widget_dbms_addincludes\class-wp-data-access.php:233
authwp_ajax_wpda_widget_dbms_refreshincludes\class-wp-data-access.php:234
authwp_ajax_wpda_remove_new_dashboard_messageincludes\class-wp-data-access.php:235
authwp_ajax_wpda_widget_pub_addincludes\class-wp-data-access.php:236
authwp_ajax_wpda_widget_chart_addincludes\class-wp-data-access.php:237
authwp_ajax_wpda_widget_chart_refreshincludes\class-wp-data-access.php:238
authwp_ajax_wpda_global_searchincludes\class-wp-data-access.php:256
authwp_ajax_wpda_global_replaceincludes\class-wp-data-access.php:257
authwp_ajax_wpda_dbinit_adminincludes\class-wp-data-access.php:286
authwp_ajax_wpda_test_publicationincludes\class-wp-data-access.php:342
authwp_ajax_wpda_datatablesincludes\class-wp-data-access.php:449
noprivwp_ajax_wpda_datatablesincludes\class-wp-data-access.php:450
authwp_ajax_wpda_exportincludes\class-wp-data-access.php:452
noprivwp_ajax_wpda_exportincludes\class-wp-data-access.php:453
authwp_ajax_wpda_autocompleteincludes\class-wp-data-access.php:464
noprivwp_ajax_wpda_autocompleteincludes\class-wp-data-access.php:465

Shortcodes 6

[wpda_app_builder] public\class-wp-data-access-public.php:258
[wpda_app] public\class-wp-data-access-public.php:259
[wpda_data_explorer] public\class-wp-data-access-public.php:260
[wpda_query_builder] public\class-wp-data-access-public.php:261
[wpdataaccess] public\class-wp-data-access-public.php:262
[wpdadiehard] public\class-wp-data-access-public.php:263
WordPress Hooks 54
actioninitincludes\class-wp-data-access.php:104
actionrest_api_initincludes\class-wp-data-access.php:105
actioninitincludes\class-wp-data-access.php:134
actionadmin_initincludes\class-wp-data-access.php:153
actionadmin_menuincludes\class-wp-data-access.php:156
actionadmin_menuincludes\class-wp-data-access.php:157
filtersubmenu_fileincludes\class-wp-data-access.php:163
actionadmin_enqueue_scriptsincludes\class-wp-data-access.php:165
actionadmin_enqueue_scriptsincludes\class-wp-data-access.php:166
actionin_admin_headerincludes\class-wp-data-access.php:167
actionadmin_headincludes\class-wp-data-access.php:168
actionadmin_menuincludes\class-wp-data-access.php:170
actionadmin_action_wpda_query_builder_execute_sqlincludes\class-wp-data-access.php:173
actionadmin_action_wpda_query_builder_save_sqlincludes\class-wp-data-access.php:174
actionadmin_action_wpda_query_builder_open_sqlincludes\class-wp-data-access.php:175
actionadmin_action_wpda_query_builder_delete_sqlincludes\class-wp-data-access.php:176
actionadmin_action_wpda_query_builder_get_db_hintsincludes\class-wp-data-access.php:177
actionadmin_action_wpda_query_builder_set_db_hintsincludes\class-wp-data-access.php:178
actionadmin_action_wpda_query_builder_get_vqbincludes\class-wp-data-access.php:179
actionphpmailer_initincludes\class-wp-data-access.php:193
actionadmin_action_wpda_exportincludes\class-wp-data-access.php:226
actionadmin_action_wpda_add_favouriteincludes\class-wp-data-access.php:241
actionadmin_action_wpda_rem_favouriteincludes\class-wp-data-access.php:242
actionadmin_action_wpda_show_table_actionsincludes\class-wp-data-access.php:245
actionadmin_action_wpda_get_tablesincludes\class-wp-data-access.php:248
actionadmin_action_wpda_get_columnsincludes\class-wp-data-access.php:250
actionadmin_action_wpda_get_table_row_countincludes\class-wp-data-access.php:252
actionadmin_action_wpda_get_table_widget_infoincludes\class-wp-data-access.php:254
actionadmin_action_wpda_export_projectincludes\class-wp-data-access.php:260
actionwpda_data_backupincludes\class-wp-data-access.php:263
actionuser_new_formincludes\class-wp-data-access.php:266
actionedit_user_profileincludes\class-wp-data-access.php:267
actionprofile_updateincludes\class-wp-data-access.php:268
filtermanage_users_columnsincludes\class-wp-data-access.php:269
actionadmin_action_wpda_check_remote_database_connectionincludes\class-wp-data-access.php:272
actionwpda_dbinitincludes\class-wp-data-access.php:274
filterscript_loader_tagincludes\class-wp-data-access.php:330
actionadmin_action_wpda_save_csv_mappingincludes\class-wp-data-access.php:339
actionadmin_action_wpda_csv_preview_mappingincludes\class-wp-data-access.php:340
actionadmin_footerincludes\class-wp-data-access.php:344
actionwpda_set_hard_row_countincludes\class-wp-data-access.php:373
actioninitincludes\class-wp-data-access.php:431
actionwp_enqueue_scriptsincludes\class-wp-data-access.php:433
actionwp_enqueue_scriptsincludes\class-wp-data-access.php:434
actionadmin_bar_menuincludes\class-wp-data-access.php:435
actionadmin_bar_menuincludes\class-wp-data-access.php:441
filterscript_loader_tagincludes\class-wp-data-access.php:455
filterplugin_row_metawp-data-access.php:88
actionplugins_loadedwp-data-access.php:130
actionafter_uninstallwp-data-access.php:212
filterplugin_iconwp-data-access.php:222
filterrest_authentication_errorsWPDataAccess\API\WPDA_API.php:21
filterscreen_settingsWPDataAccess\List_Table\WPDA_List_View.php:606
actionadmin_footerWPDataAccess\Wordpress_Original\WP_List_Table.php:178

Scheduled Events 3

wpda_data_backup
wpda_data_backup
wpda_data_backup
Maintenance & Trust

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 16, 2026
PHP min version7.0
Downloads766K

Community Trust

Rating98/100
Number of ratings87
Active installs10K
Alternatives

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards Alternatives

Data Tables – Responsive and Sortable Table Generator

Data Tables – Responsive and Sortable Table Generator

data-tables

A
100

Create and display Wonderful tables for your data with many options.

100 No CVEs
Advanced Data Table for Elementor

Advanced Data Table for Elementor

advanced-data-table-for-elementor

A
99

Advanced Data Table for Elementor is a feature-rich addon to build customizable tables with search, filter, pagination, and more.

90 1 CVE
AI App Onsite

AI App Onsite

ai-app-onsite

A
100

Add AI-powered apps to any site in minutes. Forget OpenAI “GPTs” or Claude “Projects”. The power of AI is now in your hands (and on your website)!

10 No CVEs
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

wpforms-lite

A
88

The best WordPress contact form plugin. Drag & Drop form builder to create beautiful contact forms, payment forms, & other custom forms.

6.0M 16 CVEs
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

fluentform

B
82

Get a fast contact form plugin. Create advanced forms using drag and drop form builder with all smart features.

700K 33 CVEs
Developer Profile

WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards Developer Profile

Passionate Programmer Peter

2 plugins · 11K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
159 days
View full developer profile
Detection Fingerprints

How We Detect WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-data-access/build/css/admin-settings.css/wp-content/plugins/wp-data-access/build/css/admin-table-editor.css/wp-content/plugins/wp-data-access/build/css/admin-form-editor.css/wp-content/plugins/wp-data-access/build/css/admin-chart-editor.css/wp-content/plugins/wp-data-access/build/css/admin-builder.css/wp-content/plugins/wp-data-access/build/css/frontend-form.css/wp-content/plugins/wp-data-access/build/css/frontend-table.css/wp-content/plugins/wp-data-access/build/css/frontend-chart.css+8 more
Generator Patterns
WP Data Access v5.5.69
Version Parameters
wp-data-access/build/css/admin-settings.css?ver=wp-data-access/build/css/admin-table-editor.css?ver=wp-data-access/build/css/admin-form-editor.css?ver=wp-data-access/build/css/admin-chart-editor.css?ver=wp-data-access/build/css/admin-builder.css?ver=wp-data-access/build/css/frontend-form.css?ver=wp-data-access/build/css/frontend-table.css?ver=wp-data-access/build/css/frontend-chart.css?ver=wp-data-access/build/js/admin-settings.js?ver=wp-data-access/build/js/admin-table-editor.js?ver=wp-data-access/build/js/admin-form-editor.js?ver=wp-data-access/build/js/admin-chart-editor.js?ver=wp-data-access/build/js/admin-builder.js?ver=wp-data-access/build/js/frontend-form.js?ver=wp-data-access/build/js/frontend-table.js?ver=wp-data-access/build/js/frontend-chart.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpda-admin-settingswpda-admin-table-editorwpda-admin-form-editorwpda-admin-chart-editorwpda-admin-builderwpda-frontend-formwpda-frontend-tablewpda-frontend-chart
HTML Comments
<!-- Global Plugin Variables --><!-- WPDA Global Variables -->
Data Attributes
data-wpda-table-iddata-wpda-form-iddata-wpda-chart-id
JS Globals
WPDA_APIwpda_global_data
REST Endpoints
/wp-json/wpda/v1/get_tables/wp-json/wpda/v1/get_forms/wp-json/wpda/v1/get_charts/wp-json/wpda/v1/save_form_data/wp-json/wpda/v1/save_table_data
Shortcode Output
[wp_data_access_table][wp_data_access_form][wp_data_access_chart]
FAQ

Frequently Asked Questions about WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards