[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6HdqEYQbJiTX-rpx8MIe74OEUZ_63DFWncaTTwy9qI8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-4119","create-db-tables-missing-authorization-to-authenticated-subscriber-arbitrary-database-table-creationdeletion-via-admin-p","Create DB Tables \u003C= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation\u002FDeletion via admin-post.php","The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()\u002Fcheck_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.","create-db-tables",null,"\u003C=1.2.1","critical",9.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Missing Authorization","2026-04-21 19:08:50","2026-04-22 07:45:41",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd1a3bc4b-cc17-4728-b242-13841b5f7660?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to demonstrate the missing authorization vulnerability in the **Create DB Tables** plugin (CVE-2026-4119), which allows any authenticated user (Subscriber level or higher) to create or delete arbitrary database tables.\n\n---\n\n### 1. Vulnerability Summary\nThe **Create DB Tables** plugin (\u003C= 1.2.1) fails to implement authorization and CSRF protection on its administrative post-handling routines. The plugin registers hooks via `admin_post.php` for table creation (`add_table`) and deletion (`delete_db_table`). \n\nThe functions associated with these hooks, `cdbt_create_new_table()` and `cdbt_delete_db_table()`, lack:\n1. **Capability Checks**: No `current_user_can()` check to ensure only administrators can modify the database schema.\n2. **Nonce Verification**: No `wp_verify_nonce()` or `check_admin_referer()` to prevent unauthorized or cross-site requests.\n\nAs a result, a Subscriber-level user can trigger a `DROP TABLE` query against any table in the WordPress database, including `wp_users` and `wp_options`, leading to a total site compromise or denial of service.\n\n### 2. Attack Vector Analysis\n*   **Entry Point**: `https:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-post.php`\n*   **Action (Deletion)**: `delete_db_table` (inferred from hook `admin_post_delete_db_table`)\n*   **Action (Creation)**: `add_table` (inferred from hook `admin_post_add_table`)\n*   **Vulnerable Parameter**: `db_table` (used in `cdbt_delete_db_table`)\n*   **Authentication**: Required (Subscriber role or higher).\n*   **Preconditions**: The plugin must be active.\n\n### 3. Code Flow\n1.  **Request**: An authenticated user sends a POST request to `admin-post.php` with the parameter `action=delete_db_table`.\n2.  **Hook Execution**: WordPress core processes the request and fires the `admin_post_delete_db_table` hook.\n3.  **Plugin Callback**: The plugin's registered callback `cdbt_delete_db_table()` is executed.\n4.  **Missing Check**: The function begins execution without verifying if the user has `manage_options` capabilities or providing a valid nonce.\n5.  **Sink**: The function retrieves `$_POST['db_table']` and incorporates it into a SQL query:\n    ```php\n    \u002F\u002F Inferred logic within cdbt_delete_db_table()\n    $table_name = $_POST['db_table'];\n    $wpdb->query(\"DROP TABLE IF EXISTS $table_name\");\n    ```\n6.  **Outcome**: The database table is dropped.\n\n### 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the plugin **entirely lacks nonce verification** for these actions. \n\n*   **Observation**: The description explicitly states \"without implementing any... nonce verification via `wp_verify_nonce()`\u002F`check_admin_referer()`.\"\n*   **Conclusion**: No nonce is required for exploitation. The attack can be performed with just a valid session cookie.\n\n### 5. Exploitation Strategy\n\n#### Step 1: Create a Dummy Table for Safe Testing\nBefore attempting to drop core tables, we will create a dummy table to verify the vulnerability.\n\n*   **URL**: `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-post.php`\n*   **Method**: `POST`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Parameters**:\n    *   `action`: `add_table`\n    *   `db_table`: `wp_vulnerable_test`\n    *   `db_column_1`: `id` (inferred need for column definition)\n    *   `db_type_1`: `INT` (inferred)\n\n#### Step 2: Delete a Table (The Critical Exploit)\nWe will target a non-essential but standard table like `wp_comments` or the dummy table created in Step 1.\n\n*   **URL**: `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-post.php`\n*   **Method**: `POST`\n*   **Headers**: `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body**:\n    ```text\n    action=delete_db_table&db_table=wp_comments\n    ```\n\n### 6. Test Data Setup\n1.  **Install Plugin**: Ensure `create-db-tables` \u003C= 1.2.1 is installed and active.\n2.  **Create Subscriber**:\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123\n    ```\n3.  **Verify Tables**: Ensure `wp_comments` exists.\n    ```bash\n    wp db query \"SHOW TABLES LIKE 'wp_comments';\"\n    ```\n\n### 7. Expected Results\n*   **HTTP Response**: The server will likely return a 302 redirect back to an admin page or a 200 OK, depending on the plugin's redirect logic.\n*   **Database State**: The targeted table (`wp_comments`) will no longer exist in the database.\n*   **Plugin Behavior**: If the plugin attempts to list tables, the dropped table will be missing.\n\n### 8. Verification Steps\nAfter performing the HTTP request, verify the destruction of the table using WP-CLI:\n\n```bash\n# This command should return an empty result if the table was dropped\nwp db query \"SHOW TABLES LIKE 'wp_comments';\"\n\n# Alternatively, check for the disappearance of dummy tables created in setup\nwp db query \"SHOW TABLES LIKE 'wp_vulnerable_test';\"\n```\n\n### 9. Alternative Approaches\nIf the `delete_db_table` action name is slightly different (e.g., `cdbt_delete_table`), search the plugin files for the `admin_post` registrations:\n\n```bash\ngrep -r \"admin_post_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fcreate-db-tables\u002F\n```\n\nIf the deletion requires a specific nonce that was missed in the initial report, use the following to find where it might be localized:\n\n1.  Navigate to the plugin's settings page as an admin.\n2.  Use `browser_eval` to search for nonce strings in the global window object:\n    ```javascript\n    Object.keys(window).filter(key => typeof window[key] === 'object' && window[key] !== null && 'nonce' in window[key]);\n    ```\n3.  Even if a nonce exists, check if the backend actually validates it by omitting it from the request. The vulnerability description strongly suggests the check is missing entirely.","The Create DB Tables plugin for WordPress is vulnerable to a missing authorization check in its admin-post handlers, allowing any authenticated user (Subscriber level and above) to create or delete arbitrary database tables. This occurs because the plugin registers hooks for table management without verifying user capabilities or using nonces to prevent unauthorized requests.","\u002F\u002F Hook registration (typically found in main plugin file or constructor)\nadd_action('admin_post_add_table', 'cdbt_create_new_table');\nadd_action('admin_post_delete_db_table', 'cdbt_delete_db_table');\n\n---\n\n\u002F\u002F Vulnerable function cdbt_delete_db_table() in plugin logic\nfunction cdbt_delete_db_table() {\n    global $wpdb;\n    $table_name = $_POST['db_table'];\n    \u002F\u002F Missing current_user_can() check\n    \u002F\u002F Missing check_admin_referer() or wp_verify_nonce()\n    $wpdb->query(\"DROP TABLE IF EXISTS $table_name\");\n    \u002F\u002F ... (truncated)\n}","--- a\u002Fcreate-db-tables.php\n+++ b\u002Fcreate-db-tables.php\n@@ -100,6 +100,10 @@\n  function cdbt_delete_db_table() {\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_die( __( 'You do not have sufficient permissions to access this page.' ) );\n+    }\n+    check_admin_referer( 'cdbt_delete_table_action', 'cdbt_nonce' );\n      global $wpdb;\n      $table_name = sanitize_text_field( $_POST['db_table'] );\n      $wpdb->query( $wpdb->prepare( \"DROP TABLE IF EXISTS %i\", $table_name ) );","The exploit targets the WordPress admin-post.php endpoint, which is accessible to any logged-in user. An attacker with a Subscriber-level account or higher sends a POST request to \u002Fwp-admin\u002Fadmin-post.php with the 'action' parameter set to 'delete_db_table' and the 'db_table' parameter set to the name of a target WordPress table (e.g., 'wp_users' or 'wp_options'). Because the plugin lacks capability checks (current_user_can) and CSRF protection (nonces), the server-side callback executes a DROP TABLE query against the specified table, leading to database corruption and potential site takeover.","gemini-3-flash-preview","2026-04-27 13:54:05","2026-04-27 13:54:23",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcreate-db-tables\u002Ftags"]