CVE-2026-4119 Overview
CVE-2026-4119 is a critical authorization bypass vulnerability affecting the Create DB Tables plugin for WordPress in all versions up to and including 1.2.1. The vulnerability stems from the plugin's failure to implement proper capability checks and nonce verification on administrative action hooks, allowing any authenticated user—including those with minimal Subscriber-level privileges—to create arbitrary database tables and delete existing ones, including critical WordPress core tables.
Critical Impact
This vulnerability enables authenticated attackers with Subscriber-level access to completely destroy a WordPress installation by deleting critical database tables such as wp_users or wp_options, leading to total site compromise.
Affected Products
- Create DB Tables plugin for WordPress version 1.2.1 and earlier
- WordPress installations with the Create DB Tables plugin active
- Any WordPress site where authenticated users (including Subscribers) exist
Discovery Timeline
- 2026-04-22 - CVE-2026-4119 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-4119
Vulnerability Analysis
This authorization bypass vulnerability (CWE-862: Missing Authorization) exists because the Create DB Tables plugin registers admin_post action hooks for sensitive database operations without implementing proper security controls. The plugin exposes two critical endpoints: admin_post_add_table for creating database tables and admin_post_delete_db_table for deleting tables. These hooks only require the user to be logged into WordPress, meaning the admin_post handler processes requests from any authenticated user regardless of their role or capabilities.
The most dangerous aspect of this vulnerability lies in the cdbt_delete_db_table() function, which accepts a user-supplied table name directly from the $_POST['db_table'] parameter and constructs a DROP TABLE SQL query without any sanitization or authorization verification. An attacker with a simple Subscriber account can craft a malicious POST request targeting any database table, including WordPress core tables essential for site operation.
Root Cause
The root cause is the complete absence of security controls in the plugin's administrative action handlers. WordPress provides standard security mechanisms such as current_user_can() for capability checks and wp_verify_nonce()/check_admin_referer() for CSRF protection, but the vulnerable plugin implements neither. The developers incorrectly assumed that the admin_post hook would only be accessible to administrators, when in fact it only requires basic authentication.
The vulnerable code paths can be examined in the plugin source code on the WordPress Plugin Trac.
Attack Vector
The attack can be executed remotely over the network by any authenticated WordPress user. The attacker only needs valid credentials for an account with Subscriber-level permissions—the lowest privilege level in WordPress.
The attack flow involves:
- Authenticating to WordPress with any valid user credentials (Subscriber or above)
- Sending a crafted POST request to the admin-post.php endpoint with action=delete_db_table
- Including the target table name in the db_table POST parameter
- The plugin executes the DROP TABLE query without verification, destroying the specified table
The cdbt_create_new_table() function similarly lacks authorization checks, allowing attackers to create arbitrary database tables which could be used for further exploitation or to consume database resources. For detailed technical analysis, refer to the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-4119
Indicators of Compromise
- Unexpected database table deletions or missing WordPress core tables (wp_users, wp_options, wp_posts, etc.)
- Unusual POST requests to /wp-admin/admin-post.php from low-privileged user accounts
- Error logs showing database table not found errors for core WordPress tables
- New or unexpected database tables appearing in the WordPress database
Detection Strategies
- Monitor HTTP access logs for POST requests to admin-post.php containing action=delete_db_table or action=add_table parameters
- Implement database audit logging to track DROP TABLE and CREATE TABLE queries
- Configure web application firewall (WAF) rules to alert on requests matching the vulnerable action hook patterns
- Review WordPress user activity logs for suspicious actions by Subscriber-level accounts
Monitoring Recommendations
- Enable database query logging and set up alerts for DROP TABLE commands executed outside of expected maintenance windows
- Deploy file integrity monitoring to detect sudden WordPress functionality failures indicative of database destruction
- Implement real-time monitoring of WordPress admin endpoints for abnormal request patterns from non-administrator users
- Use SentinelOne Singularity to monitor for post-exploitation activities following site compromise
How to Mitigate CVE-2026-4119
Immediate Actions Required
- Immediately deactivate and remove the Create DB Tables plugin from all WordPress installations
- Audit recent database changes for unauthorized table creations or deletions
- Review WordPress user accounts and remove any unauthorized or unnecessary Subscriber-level accounts
- Restore affected databases from clean backups if any tables have been maliciously deleted
- Implement additional WAF rules to block requests to the vulnerable endpoints until the plugin is removed
Patch Information
As of the last update on 2026-04-22, no official patch has been released for this vulnerability. The plugin remains vulnerable in version 1.2.1 and all prior versions. Organizations should not wait for a patch and should immediately remove the plugin from production environments.
Site administrators should monitor the WordPress Plugin Repository for any security updates.
Workarounds
- Remove the Create DB Tables plugin entirely from WordPress installations as the only fully effective workaround
- If removal is not immediately possible, restrict user registrations and remove all non-essential user accounts, particularly those with Subscriber-level access
- Implement database user permission restrictions at the MySQL/MariaDB level to prevent DROP TABLE operations from the WordPress database user
- Deploy a web application firewall rule to block POST requests to admin-post.php containing the delete_db_table or add_table action parameters
# Example WAF rule for ModSecurity to block vulnerable endpoints
SecRule REQUEST_URI "@contains /wp-admin/admin-post.php" \
"id:100001,phase:2,deny,status:403,\
chain,msg:'CVE-2026-4119 Exploit Attempt Blocked'"
SecRule ARGS:action "@rx ^(delete_db_table|add_table)$"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
