CVE-2021-24197: 
WordPress vulnerability analysis and mitigation

The wpDataTables WordPress plugin before version 3.4.2 contains an Improper Access Control vulnerability (CVE-2021-24197). A low privilege authenticated user that visits a page where a table is published can tamper with parameters to access data of other users present in the same table by taking over user permissions through the formdata[wdt_ID] parameter (N4NJ0 Advisory, WPScan).

The vulnerability exists in the table permission handling mechanism where an authenticated user can manipulate the formdata[wdt_ID] parameter in requests to admin-ajax.php. The issue has been assigned a CVSS score of 8.3 (High) and is classified under CWE-284 (Improper Access Control). The vulnerability affects both the premium and free versions of the plugin that share the same slug (WPScan).

By exploiting this vulnerability, an attacker with a low-privilege authenticated account can access and manage the data of all users in the same table. This allows unauthorized access to potentially sensitive information stored in table entries (N4NJ0 Advisory).

The vulnerability was fixed in wpDataTables version 3.4.2. Users should upgrade to this version or later to protect against this security issue (WPDataTables Changelog).

The vulnerability was discovered and reported by security researchers Veno Eivazian and Massimiliano Ferraresi. It was publicly disclosed on March 16, 2021, and subsequently assigned CVE-2021-24197 (WPScan).