CVE-2026-4119

Name of the Vulnerable Software and Affected Versions Create DB Tables versions prior to 1.2.2

Description The Create DB Tables plugin for WordPress contains an authorization bypass. The plugin registers admin post action hooks for creating tables ('admin post add table') and deleting tables ('admin post delete db table') without implementing capability checks or nonce verification. Consequently, any authenticated user, including those with Subscriber-level access, can access these endpoints. The cdbt delete db table() function processes a user-supplied table name from the db table variable and executes a DROP TABLE SQL query, which allows the deletion of any database table, including critical WordPress core tables. Similarly, the cdbt create new table() function allows the creation of arbitrary database tables.

Recommendations Update to a version newer than 1.2.1. As a temporary workaround, restrict access to the 'admin post add table' and 'admin post delete db table' endpoints to authorized administrators only.