CVE-2026-4126
Description
The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler tablemanager_render_table_shortcode() takes a user-controlled table attribute, applies only sanitize_key() for sanitization, and concatenates the value with $wpdb->prefix to form a full database table name. It then executes DESC and SELECT * queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed — the tablemanager_created_tables option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.phpnvd
- plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.phpnvd
- plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.phpnvd
- plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.phpnvd
- plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.phpnvd
- plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/25b3607c-f99e-4359-8228-0f3452f80aacnvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)Wordfence Blog · Apr 30, 2026