The WP Table Builder – Drag & Drop Table Builder plugin for WordPress contains an incorrect authorization check in its save_table() function. This flaw allows any authenticated user with a Subscriber role or higher to create new wptb-table posts, effectively granting them the ability to add arbitrary tables to the site. The vulnerability is a weak point in role‑based access control (CWE‑863) and can be used to bypass intended restrictions on table creation. While it does not provide direct code execution, the attacker can manipulate site content and potentially disrupt normal operation.

All installations of WP Table Builder versions up to and including 2.0.19 are affected. The plugin is distributed for WordPress and is applied as a standard plugin, meaning any WordPress site that has installed this plugin and has users with Subscriber‑level access is potentially impacted.

The CVSS score of 4.3 indicates low to moderate severity, and the EPSS score of <1% shows a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, suggesting it is not a known, widely used exploit. The attack requires only authenticated access with Subscriber or higher privileges, which are commonly granted on many sites. Because the vulnerability permits arbitrary table creation but does not enable further privileges or code execution, the overall risk remains low, though it still allows content injection that could be used for social engineering or site disruption.