CVE-2026-4119: CWE-862 Missing Authorization in jppreus Create DB Tables
The Create DB Tables WordPress plugin up to version 1. 2. 1 has an authorization bypass vulnerability that allows any authenticated user, including those with Subscriber-level access, to create or delete arbitrary database tables. This occurs because the plugin's admin_post action hooks for adding and deleting tables do not perform capability checks or nonce verification. Exploitation can lead to deletion of critical WordPress core tables such as wp_users or wp_options, potentially destroying the entire WordPress installation.
AI Analysis
Technical Summary
CVE-2026-4119 is an authorization bypass vulnerability in the Create DB Tables WordPress plugin (versions up to 1.2.1). The plugin registers admin_post action hooks (admin_post_add_table and admin_post_delete_db_table) that allow any logged-in user to invoke functions to create or delete database tables without verifying user capabilities or nonces. The cdbt_delete_db_table() function executes a DROP TABLE SQL query based on user-supplied input, enabling deletion of any database table, including critical WordPress core tables. The cdbt_create_new_table() function allows creation of arbitrary tables. This vulnerability enables authenticated attackers with minimal privileges to severely disrupt or destroy the WordPress site database.
Potential Impact
An attacker with any authenticated user account, including Subscriber-level access, can delete or create arbitrary database tables. This can result in destruction of critical WordPress core tables such as wp_users or wp_options, leading to loss of data integrity, denial of service, and potential site-wide compromise or downtime. The CVSS score of 9.1 reflects the critical impact on availability and integrity with low attack complexity and no user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available according to the vendor advisory data. Until a patch is released, restrict user access to the plugin's functionality by limiting authenticated user roles or disabling the plugin if possible. Monitor for plugin updates from the vendor and apply official patches promptly once available. Avoid granting unnecessary authenticated access to untrusted users.
CVE-2026-4119: CWE-862 Missing Authorization in jppreus Create DB Tables
Description
The Create DB Tables WordPress plugin up to version 1. 2. 1 has an authorization bypass vulnerability that allows any authenticated user, including those with Subscriber-level access, to create or delete arbitrary database tables. This occurs because the plugin's admin_post action hooks for adding and deleting tables do not perform capability checks or nonce verification. Exploitation can lead to deletion of critical WordPress core tables such as wp_users or wp_options, potentially destroying the entire WordPress installation.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4119 is an authorization bypass vulnerability in the Create DB Tables WordPress plugin (versions up to 1.2.1). The plugin registers admin_post action hooks (admin_post_add_table and admin_post_delete_db_table) that allow any logged-in user to invoke functions to create or delete database tables without verifying user capabilities or nonces. The cdbt_delete_db_table() function executes a DROP TABLE SQL query based on user-supplied input, enabling deletion of any database table, including critical WordPress core tables. The cdbt_create_new_table() function allows creation of arbitrary tables. This vulnerability enables authenticated attackers with minimal privileges to severely disrupt or destroy the WordPress site database.
Potential Impact
An attacker with any authenticated user account, including Subscriber-level access, can delete or create arbitrary database tables. This can result in destruction of critical WordPress core tables such as wp_users or wp_options, leading to loss of data integrity, denial of service, and potential site-wide compromise or downtime. The CVSS score of 9.1 reflects the critical impact on availability and integrity with low attack complexity and no user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available according to the vendor advisory data. Until a patch is released, restrict user access to the plugin's functionality by limiting authenticated user roles or disabling the plugin if possible. Monitor for plugin updates from the vendor and apply official patches promptly once available. Avoid granting unnecessary authenticated access to untrusted users.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-13T13:27:41.833Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8876e19fe3cd2cd808e36
Added to database: 4/22/2026, 8:31:42 AM
Last enriched: 4/22/2026, 8:46:18 AM
Last updated: 4/22/2026, 9:32:40 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.