Overview
A critical authorization bypass vulnerability has been disclosed in the Create DB Tables plugin for WordPress, tracked as CVE-2026-4119. The flaw carries a CVSS score of 9.1 (Critical) and affects all versions up to and including 1.2.1.
The vulnerability arises because the plugin registers admin_post action hooks for sensitive database operations — specifically admin_post_add_table (create a table) and admin_post_delete_db_table (delete a table) — without implementing any capability or nonce checks. Any unauthenticated or low-privilege user who can send an HTTP request to wp-admin/admin-post.php can trigger these hooks.
Technical Details
| Field | Details |
|---|---|
| CVE ID | CVE-2026-4119 |
| CVSS Score | 9.1 (Critical) |
| Affected Versions | Create DB Tables plugin <= 1.2.1 |
| Vulnerability Type | Authorization Bypass / Missing Capability Checks |
| Attack Vector | Network |
| Authentication Required | None |
| Published | 2026-04-22 |
| Source | NVD / NIST |
Impact
An attacker can exploit this vulnerability to:
- Create arbitrary database tables in the WordPress site's MySQL/MariaDB database, potentially filling disk space or creating tables with malicious schemas used in follow-up attacks.
- Delete any existing database tables, including core WordPress tables (
wp_users,wp_posts,wp_options), which would render the site completely inoperable and cause irreversible data loss.
Because no authentication is required, the attack surface includes any internet-facing WordPress installation running the affected plugin version. Automated scanning and exploitation is trivial.
Reproduction
The vulnerability can be triggered with a simple HTTP POST request to the WordPress admin-post.php endpoint:
POST /wp-admin/admin-post.php HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
action=delete_db_table&table_name=wp_usersNo session cookie, nonce, or elevated privileges are required for the request to be processed.
Mitigation
Immediate Actions
- Deactivate and remove the Create DB Tables plugin from all WordPress installations until a patched version is released.
- Audit your database for unexpected tables that may have been created by unauthorized parties.
- Check your database backups — if the
wp_usersorwp_optionstables have been deleted or tampered with, restore from a known-good backup immediately.
Long-Term Hardening
- Restrict access to
wp-admin/admin-post.phpat the web server or WAF level for unauthenticated requests. - Use a WordPress security plugin (e.g., Wordfence, Sucuri) to monitor and block unauthorized
admin-postrequests. - Regularly audit installed plugins for missing authentication and nonce validation on sensitive actions.
Patch Status
As of the disclosure date (2026-04-22), no patched version has been released. Plugin authors have been notified through the WordPress Plugins team. Monitor the WordPress Plugin Repository for updates.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
- Attack Vector (AV): Network — exploitable remotely without physical access
- Attack Complexity (AC): Low — no special conditions required
- Privileges Required (PR): None — no authentication needed
- User Interaction (UI): None — fully automated exploitation possible
- Confidentiality (C): None — data is not directly exposed by this vector
- Integrity (I): High — arbitrary database tables can be created with attacker-controlled data
- Availability (A): High — deletion of core tables causes complete site outage
References
- NVD Entry — CVE-2026-4119
- WordPress Plugin Repository — Create DB Tables
- OWASP — Missing Function Level Access Control