CVE-2025-2939: 
WordPress vulnerability analysis and mitigation

The Ninja Tables – Easy Data Table Builder plugin for WordPress contains a PHP Object Injection vulnerability (CVE-2025-2939) in all versions up to and including 5.0.18. The vulnerability exists in the deserialization of untrusted input from the args[callback] parameter, allowing unauthenticated attackers to inject PHP objects. This vulnerability was discovered and reported by Wordfence (Wordfence Report).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) with a CVSS v3.1 Base Score of 5.6 MEDIUM (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). The issue stems from unsafe deserialization of user input in the args[callback] parameter. While attackers can execute arbitrary functions through a POP chain, the impact is limited as it only allows calling single functions without user-supplied parameters (NVD Database).

The vulnerability allows unauthenticated attackers to execute arbitrary functions through PHP object injection, though with limited impact since only single functions can be called without user-supplied parameters. This could potentially lead to unauthorized access, information disclosure, or system manipulation within the constraints of the available function calls (NVD Database).

Users should upgrade to version 5.0.19 or later of the Ninja Tables plugin, which contains fixes for this vulnerability. The fix can be verified in the updated code at line 399 in the Client.php file (WordPress Source).