{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-4119/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-4119"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","authorization-bypass","plugin-vulnerability","cve-2026-4119"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Create DB Tables plugin, versions 1.2.1 and earlier, suffers from an authorization bypass vulnerability (CVE-2026-4119). This flaw stems from the plugin\u0026rsquo;s failure to implement capability checks or nonce verification for its admin_post action hooks, specifically those responsible for creating (admin_post_add_table) and deleting (admin_post_delete_db_table) database tables. Because the admin_post hook only requires a user to be logged in, any authenticated user, including those with the lowest Subscriber role, can access these endpoints. This oversight allows malicious actors to create arbitrary database tables or, more critically, delete existing ones, including vital WordPress core tables. The vulnerability was published on 2026-04-22, and given the severity, defenders should immediately address this risk. The affected versions of the plugin should be updated or removed to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers an account on a vulnerable WordPress site, gaining Subscriber-level access.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with the action parameter set to \u003ccode\u003eadd_table\u003c/code\u003e or \u003ccode\u003edelete_db_table\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the \u003ccode\u003edb_table\u003c/code\u003e parameter with the name of the table to be deleted, if exploiting the \u003ccode\u003edelete_db_table\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe server processes the request without proper authorization checks, because \u003ccode\u003ecurrent_user_can()\u003c/code\u003e and \u003ccode\u003ewp_verify_nonce()\u003c/code\u003e are missing.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecdbt_delete_db_table()\u003c/code\u003e function executes a \u003ccode\u003eDROP TABLE\u003c/code\u003e SQL query based on the user-supplied \u003ccode\u003edb_table\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eIf the attacker targets a critical WordPress core table like \u003ccode\u003ewp_users\u003c/code\u003e or \u003ccode\u003ewp_options\u003c/code\u003e, the site\u0026rsquo;s functionality will be severely impacted.\u003c/li\u003e\n\u003cli\u003eAlternatively, if exploiting the \u003ccode\u003eadd_table\u003c/code\u003e action, the \u003ccode\u003ecdbt_create_new_table()\u003c/code\u003e function executes a \u003ccode\u003eCREATE TABLE\u003c/code\u003e SQL query, creating an arbitrary database table.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation can lead to complete destruction of the WordPress installation or the introduction of malicious database tables.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any authenticated user to delete arbitrary database tables, including critical WordPress core tables. This can lead to complete site destruction and data loss. An attacker could delete the \u003ccode\u003ewp_users\u003c/code\u003e table, effectively locking out all administrators and other users, or delete the \u003ccode\u003ewp_options\u003c/code\u003e table, causing the site to revert to its default state or become completely unusable. The CVSS v3.1 base score for this vulnerability is 9.1, highlighting the critical nature of the risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the Create DB Tables plugin to a version higher than 1.2.1, where this vulnerability is patched.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with \u003ccode\u003eaction=delete_db_table\u003c/code\u003e or \u003ccode\u003eaction=add_table\u003c/code\u003e (see rule: \u0026ldquo;Detect Unauthorized DB Table Modification\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests to \u003ccode\u003ewp-admin/admin-post.php\u003c/code\u003e with the vulnerable actions unless originating from an administrator (see rule: \u0026ldquo;WAF - Block Unauthorized DB Table Modification\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T09:16:49Z","date_published":"2026-04-22T09:16:49Z","id":"/briefs/2026-04-wordpress-create-db-tables-auth-bypass/","summary":"The Create DB Tables plugin for WordPress versions 1.2.1 and earlier is vulnerable to an authorization bypass, allowing authenticated users to create and delete database tables without proper checks, potentially leading to complete site destruction.","title":"WordPress Create DB Tables Plugin Authorization Bypass Vulnerability (CVE-2026-4119)","url":"https://feed.craftedsignal.io/briefs/2026-04-wordpress-create-db-tables-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-4119","version":"https://jsonfeed.org/version/1.1"}