Description
The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanager_render_table_shortcode()` takes a user-controlled `table` attribute, applies only `sanitize_key()` for sanitization, and concatenates the value with `$wpdb->prefix` to form a full database table name. It then executes `DESC` and `SELECT *` queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed — the `tablemanager_created_tables` option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables.
Published: 2026-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Update
AI Analysis

Impact

The Table Manager WordPress plugin contains a flaw that allows an authenticated user with Contributor level or higher to reveal arbitrary database content. The plugin’s shortcode processor accepts a "table" parameter, sanitizes it only with a key validation routine, then combines it with the database prefix and runs a DESCRIBE command followed by a SELECT * on the resulting table. Because the processor does not enforce an allow‑list of plugin‑created tables, an attacker can specify any table name and have its entire contents exposed on the front end.

Affected Systems

All installations of primisdigital’s Table Manager plugin with a version of 1.0.0 or earlier are affected. The vulnerability exists in the default deployment of the plugin and is not limited to any particular WordPress installation configuration.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk, and the exploitation likelihood is not quantified due to missing EPSS data. The attack requires authenticated access at the Contributor level, which many sites assign to content editors. Once authenticated, an attacker can embed the malicious shortcode in a post or page they can edit and trigger a direct leak of arbitrary database table data to any viewer of that content. The plugin is not listed in the CISA KEV catalog, so there is no formal indication of active exploitation at this time.

Generated by OpenCVE AI on April 22, 2026 at 09:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade primisdigital’s Table Manager to the latest version that removes the vulnerability.
  • Restrict the use of the table_manager shortcode by editing user roles so that only administrators can add or edit posts containing it.
  • If upgrading immediately is not possible, disable the Table Manager plugin or remove it entirely from the site to eliminate the vulnerable code path.

Generated by OpenCVE AI on April 22, 2026 at 09:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Primisdigital
Primisdigital table Manager
Wordpress
Wordpress wordpress
Vendors & Products Primisdigital
Primisdigital table Manager
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanager_render_table_shortcode()` takes a user-controlled `table` attribute, applies only `sanitize_key()` for sanitization, and concatenates the value with `$wpdb->prefix` to form a full database table name. It then executes `DESC` and `SELECT *` queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed — the `tablemanager_created_tables` option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables.
Title Table Manager <= 1.0.0 - Authenticated (Contributor+) Sensitive Information Exposure via 'table' Shortcode Attribute
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Primisdigital Table Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T15:31:46.501Z

Reserved: 2026-03-13T13:54:47.624Z

Link: CVE-2026-4126

cve-icon Vulnrichment

Updated: 2026-04-22T15:25:39.975Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:23.777

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4126

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:44:19Z

Weaknesses