CVE-2026-2306: CWE-862 Missing Authorization in techjewel Ninja Tables – Easy Data Table Builder
The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion.
AI Analysis
Technical Summary
CVE-2026-2306 is a missing authorization vulnerability (CWE-862) in the Ninja Tables – Easy Data Table Builder WordPress plugin affecting all versions up to 5.2.6. The vulnerability exists because the createFluentCartTable function does not properly verify user permissions before allowing database table creation. Authenticated users with Subscriber-level privileges or higher can exploit this to create arbitrary tables in the database, potentially causing database pollution and resource exhaustion. The vulnerability has a CVSS 3.1 base score of 4.3 (medium severity) with network attack vector, low attack complexity, and no user interaction required.
Potential Impact
Exploitation allows authenticated users with low privileges (Subscriber or above) to create arbitrary database tables within the Ninja Tables plugin. This can lead to database pollution and resource exhaustion, which may degrade the performance of the affected WordPress site. There is no direct impact on confidentiality or availability reported. No known active exploitation has been documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles and permissions to trusted users only, minimizing the number of users with Subscriber-level or higher access. Monitor for unusual database activity related to Ninja Tables. Avoid granting unnecessary access to authenticated users.
CVE-2026-2306: CWE-862 Missing Authorization in techjewel Ninja Tables – Easy Data Table Builder
Description
The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-2306 is a missing authorization vulnerability (CWE-862) in the Ninja Tables – Easy Data Table Builder WordPress plugin affecting all versions up to 5.2.6. The vulnerability exists because the createFluentCartTable function does not properly verify user permissions before allowing database table creation. Authenticated users with Subscriber-level privileges or higher can exploit this to create arbitrary tables in the database, potentially causing database pollution and resource exhaustion. The vulnerability has a CVSS 3.1 base score of 4.3 (medium severity) with network attack vector, low attack complexity, and no user interaction required.
Potential Impact
Exploitation allows authenticated users with low privileges (Subscriber or above) to create arbitrary database tables within the Ninja Tables plugin. This can lead to database pollution and resource exhaustion, which may degrade the performance of the affected WordPress site. There is no direct impact on confidentiality or availability reported. No known active exploitation has been documented.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles and permissions to trusted users only, minimizing the number of users with Subscriber-level or higher access. Monitor for unusual database activity related to Ninja Tables. Avoid granting unnecessary access to authenticated users.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-10T20:14:05.573Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69facff4cbff5d86109f182c
Added to database: 5/6/2026, 5:21:56 AM
Last enriched: 5/6/2026, 5:36:21 AM
Last updated: 5/7/2026, 6:18:08 AM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.