CVE-2026-4119

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin post action hooks for creating tables (admin post add table) and deleting tables (admin post delete db table) without implementing any capability checks via current user can() or nonce verification via wp verify nonce()/check admin referer(). The admin post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt delete db table() function takes a user-supplied table name from $ POST['db table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp users or wp options. The cdbt create new table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.