Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.
AnalysisAI
Authorization bypass in Create DB Tables WordPress plugin allows any authenticated user, including Subscribers, to execute arbitrary database operations including DROP TABLE commands against critical WordPress core tables. Wordfence reported this vulnerability affecting all versions through 1.2.1, where admin_post hooks lack both capability checks and nonce verification. Attackers with minimal Subscriber-level credentials can destroy entire WordPress installations by deleting wp_users, wp_options, or other core tables. CVSS vector indicates network-based attack (AV:N) with no authentication required (PR:N), though the description confirms authentication IS required at Subscriber level - this discrepancy suggests the CVSS vector may be incorrectly scored. No active exploitation confirmed via CISA KEV at time of analysis, but the vulnerability is trivially exploitable given the code is publicly viewable in WordPress plugin repository.
Technical ContextAI
WordPress uses admin_post hooks to handle authenticated administrative actions, requiring users to be logged in but not necessarily having elevated privileges. Proper WordPress plugin development mandates two security layers: capability checks via current_user_can() to verify user permission levels (e.g., 'manage_options' for admin functions), and nonce verification via wp_verify_nonce() or check_admin_referer() to prevent CSRF attacks. The Create DB Tables plugin (CPE: cpe:2.3:a:jppreus:create_db_tables) registers admin_post_add_table and admin_post_delete_db_table hooks without implementing either protection mechanism. The cdbt_delete_db_table() function accepts unsanitized table names from POST parameters and passes them directly to DROP TABLE SQL statements. This represents CWE-862 (Missing Authorization), where functionality is exposed without proper access control enforcement. WordPress core tables like wp_users, wp_posts, wp_options, and wp_postmeta are all valid targets for deletion, as the plugin performs no validation on table names beyond what the user supplies.
RemediationAI
Immediately deactivate and uninstall the Create DB Tables plugin from all WordPress installations until a patched version is released. No vendor-released patch identified at time of analysis - the Wordfence advisory and WordPress plugin repository references point to vulnerable code in version 1.2.1 without indicating a fixed release. Monitor the WordPress plugin repository and Wordfence advisory for patch availability. As compensating controls, if the plugin must remain active temporarily, implement web application firewall (WAF) rules blocking POST requests to /wp-admin/admin-post.php with action parameters matching 'add_table' or 'delete_db_table' - this prevents exploitation but completely disables the plugin's core functionality. Alternatively, restrict WordPress user registration to prevent Subscriber account creation, reducing the attack surface to existing authenticated users only - this does not eliminate risk from compromised accounts or insider threats but limits exposure. Database backups are critical mitigation: implement automated daily backups stored off-server with tested restoration procedures, as successful exploitation results in permanent data loss requiring backup restoration. After applying a future patch, audit the wp_* database tables for unauthorized additions or verify against a clean WordPress schema to detect any malicious tables created during the vulnerability window. Review WordPress access logs for suspicious POST requests to admin-post.php endpoints as potential indicators of exploitation attempts.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24662
GHSA-jpj9-vrh6-4wmc