Skip to main content

Create DB Tables CVE-2026-4119

| EUVDEUVD-2026-24662 CRITICAL
Missing Authorization (CWE-862)
2026-04-22 Wordfence GHSA-jpj9-vrh6-4wmc
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 20:37 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 09:59 vuln.today
EUVD ID Assigned
Apr 22, 2026 - 08:30 euvd
EUVD-2026-24662
Analysis Generated
Apr 22, 2026 - 08:30 vuln.today
CVE Published
Apr 22, 2026 - 07:45 nvd
CRITICAL 9.1

DescriptionCVE.org

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.

AnalysisAI

Authorization bypass in Create DB Tables WordPress plugin allows any authenticated user, including Subscribers, to execute arbitrary database operations including DROP TABLE commands against critical WordPress core tables. Wordfence reported this vulnerability affecting all versions through 1.2.1, where admin_post hooks lack both capability checks and nonce verification. Attackers with minimal Subscriber-level credentials can destroy entire WordPress installations by deleting wp_users, wp_options, or other core tables. CVSS vector indicates network-based attack (AV:N) with no authentication required (PR:N), though the description confirms authentication IS required at Subscriber level - this discrepancy suggests the CVSS vector may be incorrectly scored. No active exploitation confirmed via CISA KEV at time of analysis, but the vulnerability is trivially exploitable given the code is publicly viewable in WordPress plugin repository.

Technical ContextAI

WordPress uses admin_post hooks to handle authenticated administrative actions, requiring users to be logged in but not necessarily having elevated privileges. Proper WordPress plugin development mandates two security layers: capability checks via current_user_can() to verify user permission levels (e.g., 'manage_options' for admin functions), and nonce verification via wp_verify_nonce() or check_admin_referer() to prevent CSRF attacks. The Create DB Tables plugin (CPE: cpe:2.3:a:jppreus:create_db_tables) registers admin_post_add_table and admin_post_delete_db_table hooks without implementing either protection mechanism. The cdbt_delete_db_table() function accepts unsanitized table names from POST parameters and passes them directly to DROP TABLE SQL statements. This represents CWE-862 (Missing Authorization), where functionality is exposed without proper access control enforcement. WordPress core tables like wp_users, wp_posts, wp_options, and wp_postmeta are all valid targets for deletion, as the plugin performs no validation on table names beyond what the user supplies.

RemediationAI

Immediately deactivate and uninstall the Create DB Tables plugin from all WordPress installations until a patched version is released. No vendor-released patch identified at time of analysis - the Wordfence advisory and WordPress plugin repository references point to vulnerable code in version 1.2.1 without indicating a fixed release. Monitor the WordPress plugin repository and Wordfence advisory for patch availability. As compensating controls, if the plugin must remain active temporarily, implement web application firewall (WAF) rules blocking POST requests to /wp-admin/admin-post.php with action parameters matching 'add_table' or 'delete_db_table' - this prevents exploitation but completely disables the plugin's core functionality. Alternatively, restrict WordPress user registration to prevent Subscriber account creation, reducing the attack surface to existing authenticated users only - this does not eliminate risk from compromised accounts or insider threats but limits exposure. Database backups are critical mitigation: implement automated daily backups stored off-server with tested restoration procedures, as successful exploitation results in permanent data loss requiring backup restoration. After applying a future patch, audit the wp_* database tables for unauthorized additions or verify against a clean WordPress schema to detect any malicious tables created during the vulnerability window. Review WordPress access logs for suspicious POST requests to admin-post.php endpoints as potential indicators of exploitation attempts.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-4119 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy