CVE 9.1 CRITICAL

Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php_CVE-2026-4119

April 22, 2026 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Description

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.

AI Analysis

Authorization bypass vulnerability in Create DB Tables plugin for WordPress, allowing authenticated attackers to create or delete arbitrary database tables.

Basic Information

ID CVE-2026-4119

Source Wordfence

Published Apr 22, 2026 at 07:45

Affected Product

Vendor jppreus

Product Create DB Tables

Version 1.2.1

Affected Versions jppreus Create DB Tables 0

CWE Classification

CWE-862

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor jppreus

Product Create DB Tables

Version 1.2.1

References

{
    "lastseen": "",
    "description": "The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.",
    "published": "2026-04-22T07:45:41.323Z",
    "modified": "2026-04-22T07:45:41.323Z",
    "type": "cve",
    "title": "Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1a3bc4b-cc17-4728-b242-13841b5f7660?source=cve\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L376\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L376\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L69\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L69\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L370\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L370\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L14\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L14\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L405\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L405\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L408\nhttps://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L408",
    "id": "CVE-2026-4119",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "jppreus Create DB Tables 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Create DB Tables",
    "version": "1.2.1",
    "vendor": "jppreus",
    "ai_description": "Authorization bypass vulnerability in Create DB Tables plugin for WordPress, allowing authenticated attackers to create or delete arbitrary database tables.",
    "ai_severity": "Critical",
    "ai_vendor": "jppreus",
    "ai_product": "Create DB Tables",
    "ai_version": "1.2.1",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply