CVE-2026-4126

The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table manager' shortcode. The shortcode handler tablemanager render table shortcode() takes a user-controlled table attribute, applies only sanitize key() for sanitization, and concatenates the value with $wpdb->prefix to form a full database table name. It then executes DESC and SELECT * queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed — the tablemanager created tables option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables.