CVE-2026-4126 MEDIUM

CVE-2026-4126: Table Manager <= 1.0.0 - Authenticated (Contributor+) Sensitive Information Exposure via 'table' Shortcode Attribute

Vendor Primisdigital
Product Table Manager
Weakness CWE-200 · Info exposure
Published April 22, 2026
Last update April 22, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanager_render_table_shortcode()` takes a user-controlled `table` attribute, applies only `sanitize_key()` for sanitization, and concatenates the value with `$wpdb->prefix` to form a full database table name. It then executes `DESC` and `SELECT *` queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed — the `tablemanager_created_tables` option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables.

Explanation of Vulnerability in Simple Terms

02Summary

Table Manager versions 1.0.0 and earlier expose sensitive information to authenticated users. A logged-in user can read data they should not have access to due to insufficient access controls. The exposure is limited to confidentiality; the vulnerability does not allow modification or deletion of data. Update to a version newer than 1.0.0.

What an attacker can do

03Attacker Capabilities

Read sensitive data they should not have access to.

Potential impact on your site

04Site Impact

Authenticated users can view confidential information not intended for their role.

Conditions required to exploit

05Prerequisites

Attacker must be logged in as a user with low-level privileges.

Key dates

06Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated