Cyber Posture

CVE-2026-4119

Critical

Published: 22 April 2026

Published
22 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0003 7.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4119 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to prevent authenticated low-privilege users like subscribers from accessing admin_post endpoints for arbitrary database table creation and deletion.

AC-6 Least Privilege good match
prevent

Applies least privilege to restrict destructive database operations to only necessary high-privilege accounts, mitigating bypass of capability checks in the plugin.

SI-10 Information Input Validation partial match
prevent

Validates user-supplied inputs such as table names from POST data before executing SQL queries, preventing arbitrary DROP TABLE on critical WordPress tables.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
attack.mitre.org →
Why these techniques?

Authorization bypass in public-facing WordPress plugin directly enables exploitation of the application (T1190) and facilitates data destruction through arbitrary table deletion (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via…

more

current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.

Deeper analysisAI

CVE-2026-4119 is an authorization bypass vulnerability in the Create DB Tables plugin for WordPress, affecting all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing capability checks via current_user_can() or nonce verification via wp_verify_nonce() or check_admin_referer(). These endpoints only require the user to be logged in, enabling any authenticated user, including those with Subscriber-level access, to access them. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-862 (Missing Authorization).

An attacker with any authenticated account, such as a Subscriber, can exploit this vulnerability by sending POST requests to the affected admin_post endpoints. The cdbt_delete_db_table() function directly uses a user-supplied table name from $_POST['db_table'] in a DROP TABLE SQL query, allowing deletion of any database table, including critical WordPress core tables like wp_users or wp_options. Similarly, the cdbt_create_new_table() function enables creation of arbitrary database tables. This grants attackers the ability to destroy the entire WordPress installation by wiping essential data or injecting malicious structures.

The provided references point to specific lines in the plugin's source code on the WordPress plugin trac repository, highlighting the lack of authorization and nonce checks in create-db-tables.php (lines 370, 376, 405, 408) and create-new-table.php (line 14), but no advisories or patches are detailed in the available information.

Details

CWE(s)
CWE-862

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-25443Shared CWE-862
CVE-2026-4365Shared CWE-862
CVE-2025-68547Shared CWE-862
CVE-2025-23512Shared CWE-862
CVE-2026-32817Shared CWE-862
CVE-2025-22657Shared CWE-862
CVE-2025-22715Shared CWE-862
CVE-2025-70150Shared CWE-862
CVE-2026-27181Shared CWE-862
CVE-2025-65669Shared CWE-862

References