CVE-2026-4119 - WordPress Core
CVE-2026-4119
The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.
CVE-2026-4119
CRITICAL
CVSS 9.1
Published 2026-04-22
Updated 2026-04-22
AI Risk High (89/100)
Active Exploit: No strong signal
Published Exploit: No public exploit references
Priority: P2 Urgent
Severity Band
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Affected Components
2
Reference Links
10
AI Risk Engine
High (89/100)
Exploitability
High
Active Exploitation
No strong signal
Published Exploit Status
No public exploit references
AI Context
Machine-generated threat intelligence
AI
Updated 3 days ago
AI enriched 3 days ago (2026-04-22 19:24 UTC)
Technical Summary
The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a…
Potential Impact
Severity is CRITICAL (CVSS 9.1). Depending on deployment context, affected components may be exposed to unauthorized actions or data integrity risk.
Exploitability Assessment
Exploitability is assessed as High based on severity and technical exposure profile.
Primary risk drivers: severity and technical exposure profile
Mitigation Recommendations
Validate affected product versions, prioritize patching, and monitor references for vendor remediation guidance. If immediate patching is not possible, apply compensating controls and limit exposure of vulnerable surfaces.
Detection & Monitoring
Track authentication anomalies, unexpected file writes, and suspicious plugin API activity around affected components.
Business Impact Lens
AI risk score 89/100 (High, High) with priority P2 Urgent. Prioritize remediation where affected components process customer data, admin sessions, or Internet-exposed workflows.
