CVE-2026-4126: Table Manager Plugin Info Disclosure Flaw

CVE-2026-4126 Overview

The Table Manager plugin for WordPress contains a Sensitive Information Exposure vulnerability in all versions up to and including 1.0.0. The flaw exists within the table_manager shortcode implementation, where the tablemanager_render_table_shortcode() function fails to properly restrict access to database tables. An authenticated attacker with Contributor-level privileges or higher can exploit this vulnerability to extract sensitive data from arbitrary WordPress database tables, potentially exposing user credentials, private content, and other confidential information stored in the database.

Critical Impact

Authenticated attackers with minimal privileges (Contributor-level) can read arbitrary WordPress database tables, including sensitive user data, configuration settings, and potentially stored credentials.

Affected Products

• Table Manager plugin for WordPress version 1.0.0 and earlier

Discovery Timeline

• 2026-04-22 - CVE-2026-4126 published to NVD
• 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-4126

Vulnerability Analysis

This vulnerability is classified as CWE-200 (Information Exposure) and stems from inadequate access control in the shortcode handler. The tablemanager_render_table_shortcode() function accepts a user-controlled table attribute that is only sanitized using sanitize_key(). While this function removes special characters, it does not validate whether the requested table should be accessible to the user. The sanitized value is then concatenated with $wpdb->prefix to construct a full database table name, which is subsequently queried using DESC and SELECT * statements. All query results are rendered directly to the frontend.

The critical security flaw is the absence of an allowlist check to ensure only plugin-created tables can be accessed. Although the plugin maintains a tablemanager_created_tables option that could serve as an allowlist, this option is only referenced in administrative functions and is never validated within the shortcode handler.

Root Cause

The root cause is the missing authorization check in the shortcode handler. The tablemanager_render_table_shortcode() function blindly trusts user input to specify which database table to query. The sanitize_key() function provides only character-level sanitization (lowercasing and removing non-alphanumeric characters except dashes and underscores), but offers no protection against unauthorized table access. The tablemanager_created_tables option exists but is never consulted when processing shortcode requests, allowing attackers to query any table in the WordPress database that shares the configured table prefix.

Attack Vector

The attack is network-accessible and requires low privileges. An attacker needs only Contributor-level access to WordPress, which allows them to create posts containing shortcodes. By crafting a shortcode with a malicious table attribute pointing to sensitive WordPress core tables (such as users, usermeta, or options), the attacker can extract all rows and columns from those tables. Since the shortcode renders the data to the frontend, the attacker can view the results by previewing or publishing their post.

The vulnerability can be exploited by inserting a shortcode such as [table_manager table="users"] which, after sanitization and prefix concatenation, would query the wp_users table and expose all user account information including password hashes. For detailed code analysis, refer to the WordPress Table Manager source code and the Wordfence vulnerability analysis.

Detection Methods for CVE-2026-4126

Indicators of Compromise

• Posts or pages containing [table_manager table="users"], [table_manager table="usermeta"], [table_manager table="options"], or similar shortcodes targeting WordPress core tables
• Unusual database query patterns showing SELECT * operations on sensitive tables like wp_users or wp_options from the web application layer
• Contributor or Author accounts creating drafts with shortcodes that reference non-plugin tables

Detection Strategies

• Review all published and draft posts for table_manager shortcodes with suspicious table names that do not correspond to legitimate plugin-created tables
• Monitor database query logs for unexpected full-table scans (SELECT *) against sensitive WordPress core tables originating from the Table Manager plugin
• Implement Web Application Firewall (WAF) rules to detect and block shortcode patterns attempting to access unauthorized tables

Monitoring Recommendations

• Enable WordPress audit logging to track shortcode usage and content modifications by Contributor-level users
• Configure database activity monitoring to alert on bulk data extraction from sensitive tables
• Establish baseline usage patterns for the Table Manager plugin and alert on anomalous table access requests

How to Mitigate CVE-2026-4126

Immediate Actions Required

• Disable or uninstall the Table Manager plugin until a patched version is available
• Audit all existing posts and pages for malicious shortcode usage and remove any unauthorized instances
• Review user accounts with Contributor-level access or higher for signs of compromise
• Consider temporarily demoting untrusted users to Subscriber role to prevent shortcode abuse

Patch Information

No vendor patch information is currently available. Monitor the WordPress Plugin Repository for updated versions that address this vulnerability. The fix should implement an allowlist check using the existing tablemanager_created_tables option within the tablemanager_render_table_shortcode() function.

Workarounds

• Remove Contributor, Author, or Editor capabilities from untrusted users to prevent shortcode creation
• Implement a custom code snippet or plugin to filter and block the table_manager shortcode entirely until a fix is released
• Use a security plugin with shortcode filtering capabilities to prevent unauthorized table references

# Disable the Table Manager plugin via WP-CLI
wp plugin deactivate table-manager

# Search for potentially malicious shortcode usage in posts
wp db query "SELECT ID, post_title, post_content FROM wp_posts WHERE post_content LIKE '%[table_manager%' AND post_status IN ('publish', 'draft', 'pending');"