Allan Jardine

5 exploits Active since Dec 2020
CVE-2020-28458 WRITEUP HIGH WRITEUP
datatables.net < 1.10.23 - Prototype Pollution
All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.
CVSS 7.3
CVE-2025-5096 WRITEUP MEDIUM WRITEUP
TablePress <= 3.1.2 - Authenticated DOM-Based Stored Cross-Site Scripting via Data Attributes
The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS 6.4
CVE-2021-23445 WRITEUP LOW WRITEUP
datatables.net < 1.11.3 - Cross-Site Scripting via HTML Escape Entities Function
This affects the package datatables.net before 1.11.3. If an array is passed to the HTML escape entities function it would not have its contents escaped.
CVSS 3.1
CVE-2025-11031 WRITEUP MEDIUM WRITEUP
DataTables <1.10.13 - Path Traversal
A flaw has been found in DataTables up to 1.10.13. The affected element is an unknown function of the file /examples/resources/examples.php. This manipulation of the argument src causes path traversal. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 1.10.15 is sufficient to fix this issue. Patch name: 3b24f99ac4ddb7f9072076b0d07f0b1a408f177a. Upgrading the affected component is advised. This vulnerability was initially reported for code-projects Faculty Management System but appears to affect DataTables as an upstream component instead. The vendor of DataTables explains: "I would suggest that the author upgrade to the latest versions of DataTables (actually, they shouldn't really be deploying that file to their own server at all - it is only relevant for the DataTables examples)."
CVSS 5.3
CVE-2025-5096 WRITEUP MEDIUM WRITEUP
TablePress <= 3.1.2 - Authenticated DOM-Based Stored Cross-Site Scripting via Data Attributes
The TablePress plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-caption', 'data-s-content-padding', 'data-s-title', and 'data-footer' data-attributes in all versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS 6.4