Authorization Bypass in Create DB Tables Plugin for WordPress
CVE-2026-4119

9.1CRITICAL

Key Information:

Vendor: WordPress
Status: Create Db Tables
Vendor: CVE Published:; 22 April 2026

What is CVE-2026-4119?

The Create DB Tables plugin for WordPress presents a significant security risk due to an authorization bypass vulnerability affecting all versions up to and including 1.2.1. This flaw occurs because the plugin inadequately verifies user permissions when executing critical database operations such as creating and deleting tables. Specifically, the admin_post action hooks for adding and deleting database tables lack essential capability checks and nonce verification, allowing any authenticated user, including those with minimal privileges like Subscribers, to access these actions. The vulnerabilities in the cdbt_delete_db_table() and cdbt_create_new_table() functions enable attackers to execute arbitrary SQL commands, potentially resulting in the deletion of vital WordPress tables such as wp_users and wp_options or the creation of damaging new tables. This issue underscores the importance of implementing robust security measures to mitigate threats, as it can severely compromise the integrity of a WordPress installation.

Affected Version(s)

Create DB Tables 0 <= 1.2.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/create-db-tabl...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Mar 13, 2026

Credit

Youcef Hamdani

CVE-2026-4119 Data

JSON