{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4119", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T13:27:41.833Z", "datePublished": "2026-04-22T07:45:41.323Z", "dateUpdated": "2026-04-22T07:45:41.323Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:41.323Z"}, "affected": [{"vendor": "jppreus", "product": "Create DB Tables", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation."}], "title": "Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1a3bc4b-cc17-4728-b242-13841b5f7660?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L376"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L376"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L69"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L69"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L370"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L370"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L14"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L14"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L405"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L405"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L408"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L408"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2026-04-21T19:08:50.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation."}], "id": "CVE-2026-4119", "lastModified": "2026-04-22T09:16:23.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:23.330", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L370"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L376"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L405"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L408"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L14"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L69"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L370"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L376"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L405"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L408"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L14"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L69"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1a3bc4b-cc17-4728-b242-13841b5f7660?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:22:46.182246+00:00", "value": {"mitigation_remediation": ["Upgrade the Create DB Tables plugin to version 1.2.2 or later, which adds proper capability checks and nonce verification.", "If an immediate upgrade is not feasible, disable the Create DB Tables plugin to remove the vulnerable admin_post hooks.", "Review the roles and capabilities assigned to Subscriber and other non\u2011administrator accounts and restrict them so they cannot access admin_post endpoints; consider using a role\u2011management plugin to enforce stricter limits."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation leading to arbitrary database table creation or deletion"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the Create DB Tables plugin version 1.2.1 or earlier are affected. The plugin is provided by jppreus and can be installed through the WordPress plugin repository.", "description_and_impact": "The Create DB Tables plugin registers two admin_post action hooks for creating and deleting database tables, but it does not perform capability checks or nonce verification. An attacker who is logged in, even as a Subscriber, can send a POST request to these endpoints and cause the plugin to execute DROP or CREATE TABLE statements against the WordPress database. This allows the attacker to delete core tables such as wp_users or wp_options, or create malicious tables, effectively destroying the site or enabling further compromise.", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.1, indicating critical severity, and no EPSS score is available; it is not listed in the CISA KEV catalog. Because the attack vector requires only authentication, any user with a logged\u2011in account, including Subscribers, can perform the exploit. An attacker can therefore readily delete or create tables, compromising data integrity and availability across the entire WordPress installation."}}}}, "created": "2026-04-22T09:30:13.552706+00:00", "updated": "2026-04-22T09:30:13.552719+00:00", "vendors": []}