CVE-2026-4119 Overview
The Create DB Tables plugin for WordPress contains an authorization bypass vulnerability affecting all versions up to and including 1.2.1. The plugin registers admin_post_add_table and admin_post_delete_db_table action hooks without implementing capability checks or nonce verification. Any authenticated user, including those with Subscriber-level access, can invoke these endpoints to create arbitrary database tables or drop existing ones. Attackers can target critical WordPress core tables such as wp_users or wp_options, destroying the entire WordPress installation. The flaw is categorized under [CWE-862] Missing Authorization.
Critical Impact
Any authenticated subscriber can drop arbitrary database tables, including WordPress core tables, leading to complete site destruction.
Affected Products
- Create DB Tables plugin for WordPress, all versions through 1.2.1
- WordPress sites allowing open user registration with the plugin installed
- WordPress sites where Subscriber or higher accounts exist alongside the plugin
Discovery Timeline
- 2026-04-22 - CVE-2026-4119 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-4119
Vulnerability Analysis
The vulnerability stems from improper use of WordPress action hooks for privileged operations. The plugin registers two admin_post hooks tied to the functions cdbt_create_new_table() and cdbt_delete_db_table(). WordPress invokes the admin_post_{action} hook for any authenticated request, regardless of role. The plugin omits both current_user_can() capability validation and wp_verify_nonce() or check_admin_referer() request validation. As a result, the endpoints are reachable by Subscribers, who normally cannot perform administrative database operations.
The cdbt_delete_db_table() function reads a table name from $_POST['db_table'] and passes it directly to a DROP TABLE SQL statement. The cdbt_create_new_table() function similarly accepts attacker-controlled input to create arbitrary tables. Because the value is user-supplied without authorization gating, the attacker selects any table in the WordPress database schema. Dropping wp_users removes all accounts; dropping wp_options makes the site non-functional.
Root Cause
The root cause is missing authorization enforcement on sensitive admin_post endpoints. WordPress treats admin_post_* hooks as authenticated entry points but does not enforce role-based access. Plugins must verify capabilities and nonces themselves. The plugin's registration code at create-db-tables.php lines 370 and 376 attaches handlers without these checks.
Attack Vector
An attacker registers or logs in as a Subscriber, then sends a POST request to /wp-admin/admin-post.php with action=delete_db_table and a db_table parameter set to a target table such as wp_users. The handler executes the DROP TABLE statement against the WordPress database with no further validation. The same vector applies to action=add_table for arbitrary table creation. No user interaction is required beyond the attacker's authenticated session.
The vulnerability does not require a code proof-of-concept beyond an HTTP POST
to admin-post.php with a valid subscriber session cookie. See the Wordfence
advisory and WordPress plugin source references for the affected function
locations in create-db-tables.php and create-new-table.php.
Detection Methods for CVE-2026-4119
Indicators of Compromise
- HTTP POST requests to /wp-admin/admin-post.php containing action=delete_db_table or action=add_table from low-privilege user sessions
- Unexpected DROP TABLE or CREATE TABLE statements in MySQL or MariaDB query logs originating from the WordPress database user
- Sudden disappearance of WordPress core tables such as wp_users, wp_options, wp_posts, or wp_usermeta
- WordPress site returning database connection or installation prompts after authenticated subscriber activity
Detection Strategies
- Enable MySQL general query logging or binlog auditing and alert on DROP TABLE and CREATE TABLE statements executed by the WordPress application user
- Inspect web server access logs for admin-post.php requests carrying the delete_db_table or add_table action parameter
- Correlate admin-post.php activity with the role of the authenticated session to flag Subscriber-initiated administrative calls
Monitoring Recommendations
- Forward web access logs and database audit logs to a centralized analytics platform for correlation across web and data tiers
- Establish a baseline of legitimate plugin schema operations and alert on deviations
- Monitor the WordPress users table row count and trigger alerts on abrupt drops or table-missing errors
How to Mitigate CVE-2026-4119
Immediate Actions Required
- Deactivate and remove the Create DB Tables plugin from all WordPress installations until a patched version is published
- Restrict new user registration or set the default role to a custom role with no plugin access while the plugin is present
- Verify database backups are current and restorable before any user-driven activity continues
- Audit existing user accounts and remove any unknown Subscriber accounts created recently
Patch Information
No fixed version is identified in the available advisory data. The latest affected version is 1.2.1. Review the Wordfence Vulnerability Report for updated remediation guidance and consult the WordPress Plugin Source for the affected handler registration.
Workarounds
- Block requests to /wp-admin/admin-post.php with action=delete_db_table or action=add_table at the web application firewall or reverse proxy
- Restrict the MySQL user assigned to WordPress so that it cannot execute DROP statements on production schemas if business requirements allow
- Apply a custom mu-plugin that calls remove_action('admin_post_delete_db_table', ...) and remove_action('admin_post_add_table', ...) to unhook the vulnerable handlers
# Example WAF rule (ModSecurity) to block the vulnerable actions
SecRule REQUEST_URI "@contains /wp-admin/admin-post.php" \
"chain,phase:2,deny,status:403,id:1004119,msg:'Block CVE-2026-4119 Create DB Tables abuse'"
SecRule ARGS:action "@rx ^(delete_db_table|add_table)$" "t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

