CVE-2026-4119: CWE-862 Missing Authorization in jppreus Create DB Tables
The Create DB Tables WordPress plugin up to version 1. 2. 1 has an authorization bypass vulnerability. It registers admin_post hooks for creating and deleting database tables without proper capability checks or nonce verification. This allows any authenticated user, including those with Subscriber-level access, to create arbitrary tables or delete any existing database table, including critical WordPress core tables. The vulnerability can lead to severe integrity and availability impacts on the WordPress installation.
AI Analysis
Technical Summary
CVE-2026-4119 is an authorization bypass vulnerability in the Create DB Tables WordPress plugin (up to version 1.2.1). The plugin's admin_post action hooks for adding and deleting tables do not implement capability checks via current_user_can() or nonce verification, relying only on user authentication. Consequently, any logged-in user, regardless of privilege level, can invoke these hooks. The cdbt_delete_db_table() function executes a DROP TABLE SQL query based on user input without authorization checks, enabling deletion of any database table, including critical core tables like wp_users or wp_options. Similarly, cdbt_create_new_table() allows creation of arbitrary tables. This vulnerability can result in destruction or corruption of the WordPress database.
Potential Impact
An authenticated attacker with minimal privileges (Subscriber or higher) can delete any database table or create arbitrary tables in the WordPress database. This can lead to loss of critical data, including user accounts and site configuration, potentially rendering the WordPress site inoperable. The CVSS v3.1 score is 9.1 (critical), reflecting the high impact on integrity and availability with no user interaction required and network attack vector.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available from the vendor. Until a patch is released, restrict plugin usage to trusted users only or consider disabling the plugin to prevent exploitation. Monitor vendor advisories for updates and apply official fixes once available.
CVE-2026-4119: CWE-862 Missing Authorization in jppreus Create DB Tables
Description
The Create DB Tables WordPress plugin up to version 1. 2. 1 has an authorization bypass vulnerability. It registers admin_post hooks for creating and deleting database tables without proper capability checks or nonce verification. This allows any authenticated user, including those with Subscriber-level access, to create arbitrary tables or delete any existing database table, including critical WordPress core tables. The vulnerability can lead to severe integrity and availability impacts on the WordPress installation.
CVSS v3.1
Score 9.1critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4119 is an authorization bypass vulnerability in the Create DB Tables WordPress plugin (up to version 1.2.1). The plugin's admin_post action hooks for adding and deleting tables do not implement capability checks via current_user_can() or nonce verification, relying only on user authentication. Consequently, any logged-in user, regardless of privilege level, can invoke these hooks. The cdbt_delete_db_table() function executes a DROP TABLE SQL query based on user input without authorization checks, enabling deletion of any database table, including critical core tables like wp_users or wp_options. Similarly, cdbt_create_new_table() allows creation of arbitrary tables. This vulnerability can result in destruction or corruption of the WordPress database.
Potential Impact
An authenticated attacker with minimal privileges (Subscriber or higher) can delete any database table or create arbitrary tables in the WordPress database. This can lead to loss of critical data, including user accounts and site configuration, potentially rendering the WordPress site inoperable. The CVSS v3.1 score is 9.1 (critical), reflecting the high impact on integrity and availability with no user interaction required and network attack vector.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available from the vendor. Until a patch is released, restrict plugin usage to trusted users only or consider disabling the plugin to prevent exploitation. Monitor vendor advisories for updates and apply official fixes once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-13T13:27:41.833Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8876e19fe3cd2cd808e36
Added to database: 4/22/2026, 8:31:42 AM
Last enriched: 4/29/2026, 11:10:02 AM
Last updated: 6/5/2026, 6:37:13 PM
Views: 80
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.