CVE-2026-4126: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in primisdigital Table Manager
CVE-2026-4126 is a vulnerability in the primisdigital Table Manager WordPress plugin up to version 1. 0. 0 that allows authenticated users with Contributor-level access or higher to expose sensitive information from arbitrary WordPress database tables. The vulnerability arises because the shortcode handler for 'table_manager' accepts a user-controlled table name, sanitizes it insufficiently, and queries the database without verifying that the table belongs to the plugin. This can lead to unauthorized data disclosure through the frontend. The CVSS score is 4. 3, indicating medium severity. No official patch or remediation guidance is currently available from the vendor.
AI Analysis
Technical Summary
The Table Manager plugin for WordPress versions up to 1.0.0 contains a sensitive information exposure vulnerability (CWE-200) via its 'table_manager' shortcode. The shortcode handler function `tablemanager_render_table_shortcode()` accepts a user-supplied `table` attribute, sanitizes it only with `sanitize_key()`, and concatenates it with the WordPress database prefix to form a table name. It then executes `DESC` and `SELECT *` queries on this table and outputs all data to the frontend. There is no allowlist or verification to ensure the table is one created by the plugin, as the `tablemanager_created_tables` option is only checked in admin functions, not in the shortcode handler. This allows authenticated users with Contributor or higher privileges to extract data from any database table accessible by WordPress, leading to exposure of potentially sensitive information. The vulnerability has a CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), reflecting network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, and limited confidentiality impact. No known exploits are reported in the wild, and no official patch or remediation level has been published by the vendor as of the data provided.
Potential Impact
Authenticated users with Contributor-level or higher privileges can exploit this vulnerability to read data from arbitrary WordPress database tables via the vulnerable shortcode. This leads to unauthorized disclosure of sensitive information stored in the database. The impact is limited to confidentiality loss; integrity and availability are not affected. The vulnerability does not require user interaction and can be exploited remotely over the network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level and higher user privileges to trusted users only. Avoid using the vulnerable shortcode or disable the Table Manager plugin if possible. Monitor for updates from primisdigital regarding a security patch or official mitigation steps.
CVE-2026-4126: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in primisdigital Table Manager
Description
CVE-2026-4126 is a vulnerability in the primisdigital Table Manager WordPress plugin up to version 1. 0. 0 that allows authenticated users with Contributor-level access or higher to expose sensitive information from arbitrary WordPress database tables. The vulnerability arises because the shortcode handler for 'table_manager' accepts a user-controlled table name, sanitizes it insufficiently, and queries the database without verifying that the table belongs to the plugin. This can lead to unauthorized data disclosure through the frontend. The CVSS score is 4. 3, indicating medium severity. No official patch or remediation guidance is currently available from the vendor.
CVSS v3.1
Score 4.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Table Manager plugin for WordPress versions up to 1.0.0 contains a sensitive information exposure vulnerability (CWE-200) via its 'table_manager' shortcode. The shortcode handler function `tablemanager_render_table_shortcode()` accepts a user-supplied `table` attribute, sanitizes it only with `sanitize_key()`, and concatenates it with the WordPress database prefix to form a table name. It then executes `DESC` and `SELECT *` queries on this table and outputs all data to the frontend. There is no allowlist or verification to ensure the table is one created by the plugin, as the `tablemanager_created_tables` option is only checked in admin functions, not in the shortcode handler. This allows authenticated users with Contributor or higher privileges to extract data from any database table accessible by WordPress, leading to exposure of potentially sensitive information. The vulnerability has a CVSS 3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), reflecting network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, and limited confidentiality impact. No known exploits are reported in the wild, and no official patch or remediation level has been published by the vendor as of the data provided.
Potential Impact
Authenticated users with Contributor-level or higher privileges can exploit this vulnerability to read data from arbitrary WordPress database tables via the vulnerable shortcode. This leads to unauthorized disclosure of sensitive information stored in the database. The impact is limited to confidentiality loss; integrity and availability are not affected. The vulnerability does not require user interaction and can be exploited remotely over the network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Contributor-level and higher user privileges to trusted users only. Avoid using the vulnerable shortcode or disable the Table Manager plugin if possible. Monitor for updates from primisdigital regarding a security patch or official mitigation steps.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-13T13:54:47.624Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e8876e19fe3cd2cd808e56
Added to database: 4/22/2026, 8:31:42 AM
Last enriched: 4/29/2026, 11:22:41 AM
Last updated: 6/6/2026, 11:01:15 PM
Views: 45
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.