Description
The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.
Published: 2026-04-22
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation leading to arbitrary database table creation or deletion
Action: Immediate Patch
AI Analysis

Impact

The Create DB Tables plugin registers two admin_post action hooks for creating and deleting database tables, but it does not perform capability checks or nonce verification. An attacker who is logged in, even as a Subscriber, can send a POST request to these endpoints and cause the plugin to execute DROP or CREATE TABLE statements against the WordPress database. This allows the attacker to delete core tables such as wp_users or wp_options, or create malicious tables, effectively destroying the site or enabling further compromise.

Affected Systems

All WordPress sites running the Create DB Tables plugin version 1.2.1 or earlier are affected. The plugin is provided by jppreus and can be installed through the WordPress plugin repository.

Risk and Exploitability

The vulnerability has a CVSS score of 9.1, indicating critical severity, and no EPSS score is available; it is not listed in the CISA KEV catalog. Because the attack vector requires only authentication, any user with a logged‑in account, including Subscribers, can perform the exploit. An attacker can therefore readily delete or create tables, compromising data integrity and availability across the entire WordPress installation.

Generated by OpenCVE AI on April 22, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Create DB Tables plugin to version 1.2.2 or later, which adds proper capability checks and nonce verification.
  • If an immediate upgrade is not feasible, disable the Create DB Tables plugin to remove the vulnerable admin_post hooks.
  • Review the roles and capabilities assigned to Subscriber and other non‑administrator accounts and restrict them so they cannot access admin_post endpoints; consider using a role‑management plugin to enforce stricter limits.

Generated by OpenCVE AI on April 22, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Jppreus
Jppreus create Db Tables
Wordpress
Wordpress wordpress
Vendors & Products Jppreus
Jppreus create Db Tables
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.
Title Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Jppreus Create Db Tables
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T07:45:41.323Z

Reserved: 2026-03-13T13:27:41.833Z

Link: CVE-2026-4119

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T09:16:23.330

Modified: 2026-04-22T09:16:23.330

Link: CVE-2026-4119

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:43:54Z

Weaknesses