WP-Safety

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin Security & Risk Analysis

wordpress.org/plugins/wpdatatables

The best WordPress table plugin. Create responsive, and searchable tables and charts from Excel (.xlsx, .xls or .ods), CSV, XML, JSON, and PHP.

70K active installs v6.5.0.2 PHP 7.4+ WP 4.0+ Updated Mar 5, 2026
chartcsvdatatabletabletable-builder
76
B · Generally Safe
CVEs total18
Unpatched0
Last CVEMar 3, 2026
Plugin page Download
Safety Verdict

Is wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin Safe to Use in 2026?

Mostly Safe

Score 76/100

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin is generally safe to use. 18 past CVEs were resolved. Keep it updated.

18 known CVEsLast CVE: Mar 3, 2026Updated 1mo ago
Risk Assessment

The wpdatatables plugin version 6.5.0.2 exhibits a mixed security posture. While it demonstrates some good practices, such as a high percentage of SQL queries using prepared statements and a substantial number of capability checks, several significant concerns warrant attention. The presence of 9 unprotected AJAX handlers represents a considerable attack surface without proper authorization, potentially allowing unauthorized actions. Furthermore, the taint analysis revealing 8 high-severity flows with unsanitized paths is alarming, indicating potential vulnerabilities in how user input is processed. The plugin's history of 18 known CVEs, including a currently unpatched critical vulnerability and a pattern of diverse vulnerability types like RFI, deserialization, XSS, and SQL injection, suggests a recurring struggle with robust security implementation. The 'unserialize' function, a known dangerous function, is also present. While the percentage of properly escaped outputs is decent, the identified issues in attack surface, taint analysis, and the extensive vulnerability history collectively point to a high-risk profile for this version.

Key Concerns

  • Unpatched CVE
  • High severity taint flows
  • Unprotected AJAX handlers
  • Dangerous function 'unserialize'
  • Unsanitized paths in taint analysis
  • Bundled outdated library DataTables v1.0
  • Low percentage of properly escaped outputs
Vulnerabilities
18

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin Security Vulnerabilities

CVEs by Year

2 CVEs in 2014
2014
2 CVEs in 2019
2019
5 CVEs in 2021
2021
2 CVEs in 2022
2022
2 CVEs in 2023
2023
4 CVEs in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
3
High
6
Medium
9

18 total CVEs

CVE-2026-28039high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

wpDataTables (Premium) <= 6.5.0.1 - Unauthenticated Local File Inclusion

Mar 3, 2026 Patched in 6.5.0.2 (15d)
CVE-2024-3820critical · 10Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

wpDataTables - Tables & Table Charts (Premium) <= 6.3.1 - Unauthenticated SQL Injection

May 31, 2024 Patched in 6.3.2 (3d)
CVE-2024-3821high · 7.3Missing Authorization

wpDataTables - Tables & Table Charts (Premium) <= 6.3.2 - Missing Authorization to DataTable Access & Modification

May 31, 2024 Patched in 6.4 (517d)
CVE-2024-4895medium · 4.7Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 3.4.2.12 - Unauthenticated Stored Cross-Site Scripting via CSV Import

May 22, 2024 Patched in 3.4.2.14 (1d)
CVE-2024-0591medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 3.4.2.2 - Reflected Cross-Site Scripting.

Feb 20, 2024 Patched in 3.4.2.5 (161d)
CVE-2023-4314medium · 6.6Deserialization of Untrusted Data

wpDataTables - Tables & Table Charts <= 2.1.65 - Authenticated(Administrator+) PHP Object Injection

Aug 16, 2023 Patched in 2.1.66 (160d)
CVE-2023-23876medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

wpDataTables <= 2.1.49 - Authenticated (Contributor+) Stored Cross Site Scripting

Feb 20, 2023 Patched in 2.1.50 (337d)
CVE-2022-29432medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

wpDataTables <= 2.1.27 - Authenticated Cross-Site Scripting

May 6, 2022 Patched in 2.1.28 (626d)
CVE-2022-25618medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

wpDataTables – WordPress Tables & Table Charts Plugin <= 2.1.27 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 4, 2022 Patched in 2.1.28 (659d)
CVE-2021-24197high · 8.1Improper Access Control

wpDataTables (Premium) <= 3.4.1 - Improper Access Control leading to Table Permission Takeover

Mar 16, 2021 Patched in 3.4.2 (1043d)
CVE-2021-24200medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

wpDataTables (Premium) <= 3.4.1 - Blind SQL Injection via length Parameter

Mar 16, 2021 Patched in 3.4.2 (1043d)
CVE-2021-24198high · 8.1Improper Access Control

wpDataTables (Premium) <= 3.4.1 - Improper Access Control leading to Table Data Deletion

Mar 16, 2021 Patched in 3.4.2 (1043d)
CVE-2021-24199medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

wpDataTables (Premium) <= 3.4.1 - Blind SQL Injection via start Parameter

Mar 16, 2021 Patched in 3.4.2 (1043d)
CVE-2021-26754high · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

wpDataTables (Premium) <= 3.4 - SQL Injection

Feb 2, 2021 Patched in 3.4.1 (1085d)
CVE-2019-6012high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

wpDataTables Lite plugin <= 2.0.11 - SQL injection

Oct 16, 2019 Patched in 2.0.12 (1560d)
CVE-2019-6011medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

wpDataTables Lite plugin <= 2.0.11 - Cross-Site Scripting

Oct 16, 2019 Patched in 2.0.12 (1560d)
WF-6ab975b0-4216-46df-bf5e-91e403728e5b-wpdatatablescritical · 9.8Unrestricted Upload of File with Dangerous Type

wpDataTables <= 1.5.3 - Arbitrary File Upload

Nov 25, 2014 Patched in 1.5.4 (3346d)
CVE-2014-9175critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

wpDataTables (Premium) <= 1.5.3 - SQL Injection

Nov 23, 2014 Patched in 1.5.4 (3348d)
Code Analysis
Analyzed Mar 16, 2026

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin Code Analysis

Dangerous Functions
2
Raw SQL Queries
16
66 prepared
Unescaped Output
185
486 escaped
Nonce Checks
23
Capability Checks
50
File Operations
6
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$table->tabletools_config = unserialize($table->tabletools_config, ["allowed_classes" => false]);source\class.wdtconfigcontroller.php:159
unserializereturn unserialize($serialized_content, ["allowed_classes" => false]);source\class.wpdatatable.php:1959

Bundled Libraries

DataTables1.0

SQL Query Safety

80% prepared82 total queries

Output Escaping

72% escaped671 total outputs
Data Flows
12 unsanitized

Data Flow Analysis

17 flows12 with unsanitized paths
search_box (source\class.wdtbrowsechartstable.php:557)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
9 unprotected

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin Attack Surface

Entry Points34
Unprotected9

AJAX Handlers 31

authwp_ajax_wpdatatables_save_table_configcontrollers\wdt_admin_ajax_actions.php:26
authwp_ajax_wpdatatables_save_plugin_settingscontrollers\wdt_admin_ajax_actions.php:41
authwp_ajax_wpdatatables_duplicate_tablecontrollers\wdt_admin_ajax_actions.php:213
authwp_ajax_wpdatatables_create_simple_tablecontrollers\wdt_admin_ajax_actions.php:259
authwp_ajax_wpdatatables_get_handsontable_datacontrollers\wdt_admin_ajax_actions.php:281
authwp_ajax_wpdatatables_save_simple_table_datacontrollers\wdt_admin_ajax_actions.php:414
authwp_ajax_wpdatatables_get_columns_data_by_table_idcontrollers\wdt_admin_ajax_actions.php:433
authwp_ajax_wpdatatables_delete_log_errors_cachecontrollers\wdt_admin_ajax_actions.php:457
authwp_ajax_wpdatatable_list_all_tablescontrollers\wdt_admin_ajax_actions.php:471
authwp_ajax_wpdatatable_show_chart_from_datacontrollers\wdt_admin_ajax_actions.php:487
authwp_ajax_wpdatatable_save_chart_get_shortcodecontrollers\wdt_admin_ajax_actions.php:503
authwp_ajax_wpdatatable_list_all_chartscontrollers\wdt_admin_ajax_actions.php:518
authwp_ajax_wpdatatables_duplicate_chartcontrollers\wdt_admin_ajax_actions.php:560
authwp_ajax_wpdatatables_get_nested_json_rootscontrollers\wdt_admin_ajax_actions.php:603
authwp_ajax_wdtHideRatingcontrollers\wdt_functions.php:346
authwp_ajax_wdt_remove_forminator_noticecontrollers\wdt_functions.php:358
authwp_ajax_wdt_remove_promo_noticecontrollers\wdt_functions.php:369
authwp_ajax_wdt_remove_bundles_noticecontrollers\wdt_functions.php:380
authwp_ajax_wdtHideSimpleTableAlertcontrollers\wdt_functions.php:392
authwp_ajax_wdtTempHideRatingcontrollers\wdt_functions.php:405
authwp_ajax_wdtSaveDeactivationinfocontrollers\wdt_functions.php:1017
authwp_ajax_wpdatatables_get_ivy_forms_form_fieldsintegrations\ivyforms\ivyforms-integration.php:18
authwp_ajax_wpdatatables_save_ivyforms_table_configintegrations\ivyforms\ivyforms-integration.php:21
authwp_ajax_ivyforms_one_click_installintegrations\ivyforms\ivyforms-integration.php:26
authwp_ajax_wpdatatables_load_permissionssource\class.permissions.admin.php:445
authwp_ajax_wpdatatables_save_permissionsource\class.permissions.admin.php:446
authwp_ajax_wpdatatables_update_permissionsource\class.permissions.admin.php:447
authwp_ajax_wpdatatables_delete_permissionsource\class.permissions.admin.php:448
authwp_ajax_wpdatatables_get_permissionsource\class.permissions.admin.php:449
authwp_ajax_wdtable_update_cachesource\class.wpdatatablecache.php:173
noprivwp_ajax_wdtable_update_cachesource\class.wpdatatablecache.php:174

Shortcodes 3

[wpdatatable] wpdatatables.php:132
[wpdatachart] wpdatatables.php:133
[wpdatatable_cell] wpdatatables.php:134
WordPress Hooks 46
actionadmin_menucontrollers\wdt_admin.php:141
actionadmin_headcontrollers\wdt_admin.php:153
filteradmin_body_classcontrollers\wdt_admin.php:180
actionadmin_enqueue_scriptscontrollers\wdt_admin.php:257
actionwpdatatables_enqueue_on_admin_pagescontrollers\wdt_admin.php:269
actionadmin_noticescontrollers\wdt_functions.php:334
actionwpmu_new_blogcontrollers\wdt_functions.php:570
filterwpmu_drop_tablescontrollers\wdt_functions.php:590
actionadmin_enqueue_scriptscontrollers\wdt_functions.php:1027
filtermce_external_pluginscontrollers\wdt_functions.php:1086
filtermce_buttonscontrollers\wdt_functions.php:1087
actioninitcontrollers\wdt_functions.php:1090
actionactivated_plugincontrollers\wdt_functions.php:1141
filterquerycontrollers\wdt_functions.php:1147
filterplugin_row_metacontrollers\wdt_functions.php:1212
actionwpdatatables_enqueue_on_edit_pageintegrations\ivyforms\ivyforms-integration.php:17
actionwpdatatables_add_table_type_optionintegrations\ivyforms\ivyforms-integration.php:19
actionwpdatatables_add_data_source_elementsintegrations\ivyforms\ivyforms-integration.php:20
actionwpdatatables_generate_ivyformsintegrations\ivyforms\ivyforms-integration.php:22
actionwpdatatables_add_table_configuration_tabintegrations\ivyforms\ivyforms-integration.php:23
actionwpdatatables_add_table_configuration_tabpanelintegrations\ivyforms\ivyforms-integration.php:24
filterwpdatatables_filter_insert_table_arrayintegrations\ivyforms\ivyforms-integration.php:25
actioninitintegrations\ivyforms\ivyforms-integration.php:609
actionfusion_builder_before_initintegrations\page_builders\avada\class.wdtavadaelements.php:12
actionfusion_builder_before_initintegrations\page_builders\avada\class.wdtavadaelements.php:13
actionwp_enqueue_scriptsintegrations\page_builders\avada\class.wdtavadaelements.php:15
actioninitintegrations\page_builders\avada\class.wdtavadaelements.php:155
actiondivi_extensions_initintegrations\page_builders\divi-wpdt\divi-wpdt.php:41
actionelementor/widgets/widgets_registeredintegrations\page_builders\elementor\class.wdtelementorblock.php:22
actionelementor/widgets/registerintegrations\page_builders\elementor\class.wdtelementorblock.php:24
actionelementor/editor/before_enqueue_scriptsintegrations\page_builders\elementor\class.wdtelementorblock.php:26
actionelementor/frontend/after_enqueue_stylesintegrations\page_builders\elementor\class.wdtelementorblock.php:27
actionelementor/elements/categories_registeredintegrations\page_builders\elementor\class.wdtelementorblock.php:28
actionelementor/initintegrations\page_builders\elementor\class.wdtelementorblock.php:42
actionenqueue_block_editor_assetsintegrations\page_builders\gutenberg\WDTGutenbergBlocks.php:28
actioninitintegrations\page_builders\gutenberg\WDTGutenbergBlocks.php:29
filterblock_categories_allintegrations\page_builders\gutenberg\WDTGutenbergBlocks.php:30
filtermembers_get_capabilitiessource\class.permissions.admin.php:39
filtereditable_rolessource\class.permissions.admin.php:46
actionadmin_menusource\class.permissions.admin.php:442
actionadmin_enqueue_scriptssource\class.permissions.admin.php:443
actioninitsource\class.permissions.admin.php:444
actionadmin_footersource\class.wdttools.php:1389
actionwp_footersource\class.wpdatatable.php:2026
actionadmin_noticeswpdatatables.php:40
actionplugins_loadedwpdatatables.php:109
Maintenance & Trust

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 5, 2026
PHP min version7.4
Downloads2.5M

Community Trust

Rating90/100
Number of ratings448
Active installs70K
Alternatives

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin Alternatives

Ninja Tables – Easy Data Table Builder

Ninja Tables – Easy Data Table Builder

ninja-tables

A
92

Best WordPress table builder plugin packed with versatile features to create fully responsive data tables of any kind.

80K 11 CVEs
Data Tables Generator by Supsystic

Data Tables Generator by Supsystic

data-tables-generator-by-supsystic

A
89

Create data tables with charts and graphs. Custom design, navigation, searching and ordering functions. Export to PDF, CSV, Print. Excel spreadsheet.

20K 8 CVEs
League Table – WordPress Table Plugin

League Table – WordPress Table Plugin

league-table-lite

A
100

League Table is a table plugin that you can use to create sortable and responsive tables on your WordPress website.

2K 1 CVE
TableKit: Table Builder Blocks for Gutenberg

TableKit: Table Builder Blocks for Gutenberg

table-builder-block

A
100

Powerful table builder block for Gutenberg block editor.

1K No CVEs
Stylish Google Sheet Reader – Embed Google Sheets as Interactive Tables with Built-in Form Submissions

Stylish Google Sheet Reader – Embed Google Sheets as Interactive Tables with Built-in Form Submissions

stylish-google-sheet-reader

A
99

Effortlessly create responsive, searchable, auto-refreshable data tables — now with built-in form submissions to receive orders or inquiries directly.

200 2 CVEs
Developer Profile

wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin Developer Profile

wpDataTables

3 plugins · 71K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
975 days
View full developer profile
Detection Fingerprints

How We Detect wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin