CVE-2026-4119 Create DB Tables. A critical authorization bypass vulnerability affects the Create DB Tables WordPress plugin. The disclosure came on April 23, 2026. The plugin lets administrators create and manage custom database tables from the WordPress admin dashboard. However, it registers several admin_post_ action hooks without checking user capabilities.
Any authenticated user — including Subscribers with zero administrative privileges — can send a crafted POST request to trigger table creation, alteration, or deletion.
The flaw carries a CVSS score of 9.1. This places it firmly in the “Critical” severity range. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) tells the complete story: low attack complexity, low privileges required, no user interaction, and a scope change that lets attackers impact resources beyond the vulnerable component.
CVE-2026-4119 Create DB Tables: Technical Breakdown
The root cause is straightforward and all too common in WordPress plugins: the use of admin_post_ action hooks without a preceding capability check.
When WordPress processes an admin_post_ action, it routes the request to the registered callback function. Convention dictates that the callback begins with a capability check — typically something like:
if (!current_user_can('manage_options')) {
wp_die('Unauthorized');
}In Create DB Tables, the hooks for creating, altering, and dropping tables lack any capability verification. An attacker with a Subscriber account can craft a POST request and execute arbitrary SQL CREATE TABLE, ALTER TABLE, or DROP TABLE statements against the site’s database.
CVE-2026-4119 Create DB Tables: Impact Assessment
- Table Creation: An attacker could create new tables containing malicious content, spam, or phishing pages that appear part of the legitimate site.
- Table Alteration: Modifying existing plugin or core tables could introduce backdoors, disable security features, or corrupt data.
- Table Deletion: Dropping critical tables — including
wp_posts,wp_users, orwp_options— would render the site inoperable.
Because the vulnerability exists at the database level, even security plugins focused on application-layer protection may not catch the abuse.
Who Is Affected
Any WordPress site running Create DB Tables version 1.2.1 or earlier is vulnerable. While this is a niche plugin, the sites that use it tend to be database-heavy applications. The potential for damage grows accordingly.
Remediation
- Immediately disable the plugin if not actively needed.
- Review user accounts for suspicious Subscriber-level accounts.
- Check database logs for unexpected CREATE, ALTER, or DROP statements.
- Monitor for plugin updates and apply the patch as soon as available.
- If you must keep the plugin active, restrict access to
/wp-admin/admin-post.phpusing a WAF or server-level controls.
How Trusti Security Can Help
No security plugin can fully prevent SQL injection via missing capability checks. However, a comprehensive suite like Trusti Security helps harden your site against the broader attack surface. Features like Brute Force Protection, Custom Login URL, and Two-Factor Authentication make it harder for attackers to maintain authenticated access. Regular security scanning helps identify plugins with known vulnerabilities before exploitation.