CVE-2026-4119 in Create DB Tables Pluginالمعلومات

الملخص

بحسب MITRE • 22/04/2026

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.

Once again VulDB remains the best source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

Wordfence

حجز

13/03/2026

إفشاء

22/04/2026

الاعتدال

تمت الموافقة

إدخال

VDB-358795

EPSS

0.00030

KEV

لا

النشاطات

منخفض جدًا

القطاع

Hostingprovider

المصادر

MITREhttps://www.cve.org/CVERecord?id=CVE-2026-4119
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2026-4119
CVE Detailshttps://www.cvedetails.com/cve/CVE-2026-4119/

التالي نظرة عامة السابق

Do you need the next level of professionalism?

Upgrade your account now!