CVE-2026-4126

Name of the Vulnerable Software and Affected Versions Table Manager versions prior to 1.0.1

Description The Table Manager plugin for WordPress allows authenticated attackers with Contributor-level access and above to extract sensitive data from arbitrary WordPress database tables. The issue occurs because the shortcode handler tablemanager render table shortcode() processes a user-controlled table attribute using only sanitize key() for sanitization. This value is concatenated with $wpdb->prefix to execute DESC and SELECT * queries, rendering all rows and columns to the frontend. The system fails to implement an allowlist check to verify that only plugin-created tables are accessed, as the tablemanager created tables option is not utilized within the shortcode handler.

Recommendations Update the plugin to a version later than 1.0.0. As a temporary workaround, restrict the use of the 'table manager' shortcode to trusted users with higher privileges.