CVE-2026-4119 - Vulnerability Analysis

Overview

Create DB Tables WordPress plugin <= 1.2.1 contains an authorization bypass caused by missing capability and nonce checks in admin_post hooks, letting authenticated users with Subscriber-level access create or delete arbitrary database tables.

Severity & Score

Impact

Authenticated attackers can create or delete any database table, potentially destroying the entire WordPress installation.

Mitigation

Update to the latest version with proper capability and nonce checks.

References

• https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L370
• https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L405
• https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L14
• https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L69
• https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L405
• https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L14
• https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L69
• https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L376
• https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L408
• https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L370
• https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L376
• https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L408
• https://www.wordfence.com/threat-intel/vulnerabilities/id/d1a3bc4b-cc17-4728-b242-13841b5f7660?source=cve

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner