CVE-2026-4119
Received Received - Intake
Authorization Bypass in Create DB Tables Plugin Enables Arbitrary SQL

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: Wordfence

Description
The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-4119
EUVD
EUVD-2026-24662
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wordfence create_db_tables_plugin to 1.2.1 (inc)
wordfence create_db_tables to 1.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users with minimal privileges to delete or create arbitrary database tables, including critical WordPress core tables. Such unauthorized access and potential destruction of data can lead to significant data integrity and availability issues.

While the provided context does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to delete or manipulate database tables containing sensitive user information could result in violations of data protection and security requirements mandated by these regulations.

Therefore, exploitation of this vulnerability could negatively impact compliance with common standards and regulations that require strict access controls, data integrity, and protection against unauthorized data modification or deletion.

Executive Summary

The Create DB Tables plugin for WordPress has an authorization bypass vulnerability in all versions up to 1.2.1. It registers admin_post action hooks for creating and deleting database tables without proper capability checks or nonce verification. This means any logged-in user, even those with minimal privileges like Subscribers, can access these functions.

Specifically, the plugin allows authenticated users to create arbitrary database tables or delete any existing tables by sending crafted requests. The deletion function executes a DROP TABLE SQL query based on user input, which can target critical WordPress core tables such as wp_users or wp_options.

As a result, attackers with low-level access can manipulate the database structure, potentially destroying the entire WordPress installation.

Impact Analysis

This vulnerability can have severe impacts including the complete destruction of your WordPress site's database. An attacker with even Subscriber-level access can delete critical database tables or create arbitrary tables, leading to loss of data, site downtime, and potential loss of user accounts and settings.

Because the attacker can delete core tables like wp_users or wp_options, the site could become unusable or require a full restore from backups, causing significant operational disruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4119. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart