Vulnerabilities and security researches forwp-data-access wp-data-access

Jun 07, 2024

CVE, Research URL: CVE-2021-24866
Home page URL: Security reports for WP Data Access
Application: WP Data Access
Date: Dec 06, 2021
Research Description: The WP Data Access WordPress plugin before 5.0.0 does not properly sanitise and escape the backup_date parameter before using it a SQL statement, leading to a SQL injection issue and could allow arbitrary table deletion
Affected versions: max 5.1.4.
Status: vulnerable

CVE, Research URL: CVE-2023-1874
Home page URL: Security reports for WP Data Access
Application: WP Data Access
Date: Apr 12, 2023
Research Description: The WP Data Access plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.3.7. This is due to a lack of authorization checks on the multiple_roles_update function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wpda_role[]' parameter during a profile update. This requires the 'Enable role management' setting to be enabled for the site.
Affected versions: max 5.3.8.
Status: vulnerable

Aug 20, 2024

CVE, Research URL: CVE-2024-43295
Home page URL: Security reports for WP Data Access
Application: WP Data Access
Date: Aug 27, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Passionate Programmers B.V. WP Data Access.This issue affects WP Data Access: from n/a through 5.5.7.
Affected versions: max 5.5.9.
Status: vulnerable

Nov 15, 2024

CVE, Research URL: CVE-2022-4974
Home page URL: Security reports for WP Data Access
Application: WP Data Access
Date: Oct 16, 2024
Research Description: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme running a version of Freemius less than 2.4.3 is vulnerable.
Affected versions: max 5.1.4.
Status: vulnerable

Dec 25, 2024

CVE, Research URL: CVE-2024-12428
Home page URL: Security reports for WP Data Access
Application: WP Data Access
Date: Dec 25, 2024
Research Description: The WP Data Access – App, Table, Form and Chart Builder plugin plugin for WordPress is vulnerable to SQL Injection via the 'order[user_login][dir]' parameter in all versions up to, and including, 5.5.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: max 5.5.23.
Status: vulnerable

Apr 18, 2025

CVE, Research URL: CVE-2025-39582
Home page URL: Security reports for WP Data Access
Application: WP Data Access
Date: Apr 16, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Passionate Programmer Peter WP Data Access allows DOM-Based XSS. This issue affects WP Data Access: from n/a through 5.5.36.
Affected versions: max 5.5.37.
Status: vulnerable

Apr 15, 2026

CVE, Research URL: CVE-2026-0557
Home page URL: Security reports for WP Data Access
Application: WP Data Access
Date: Feb 14, 2026
Research Description: The WP Data Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpda_app' shortcode in all versions up to, and including, 5.5.63 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 5.5.64.
Status: vulnerable

May 02, 2026

CVE, Research URL: CVE-2024-13362
Home page URL: Security reports for WP Data Access
Application: WP Data Access
Date: May 01, 2026
Research Description: Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: max 1.0.
Status: vulnerable

May 13, 2026

CVE, Research URL: CVE-2026-42665
Home page URL: Security reports for WP Data Access
Application: WP Data Access
Date: -
Research Description: WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards [wp-data-access] < 5.5.71 CVE-2026-42665
Affected versions: max 5.5.71.
Status: vulnerable