CVE-2026-4119
Authorization Bypass in Create DB Tables Plugin Enables Arbitrary SQL
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | create_db_tables_plugin | to 1.2.1 (inc) |
| wordfence | create_db_tables | to 1.2.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Create DB Tables plugin for WordPress has an authorization bypass vulnerability in all versions up to 1.2.1. It registers admin_post action hooks for creating and deleting database tables without proper capability checks or nonce verification. This means any logged-in user, even those with minimal privileges like Subscribers, can access these functions.
Specifically, the plugin allows authenticated users to create arbitrary database tables or delete any existing tables by sending crafted requests. The deletion function executes a DROP TABLE SQL query based on user input, which can target critical WordPress core tables such as wp_users or wp_options.
As a result, attackers with low-level access can manipulate the database structure, potentially destroying the entire WordPress installation.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including the complete destruction of your WordPress site's database. An attacker with even Subscriber-level access can delete critical database tables or create arbitrary tables, leading to loss of data, site downtime, and potential loss of user accounts and settings.
Because the attacker can delete core tables like wp_users or wp_options, the site could become unusable or require a full restore from backups, causing significant operational disruption.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users with minimal privileges to delete or create arbitrary database tables, including critical WordPress core tables. Such unauthorized access and potential destruction of data can lead to significant data integrity and availability issues.
While the provided context does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to delete or manipulate database tables containing sensitive user information could result in violations of data protection and security requirements mandated by these regulations.
Therefore, exploitation of this vulnerability could negatively impact compliance with common standards and regulations that require strict access controls, data integrity, and protection against unauthorized data modification or deletion.