{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4126", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T13:54:47.624Z", "datePublished": "2026-04-22T07:45:32.552Z", "dateUpdated": "2026-04-22T15:31:46.501Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:32.552Z"}, "affected": [{"vendor": "primisdigital", "product": "Table Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanager_render_table_shortcode()` takes a user-controlled `table` attribute, applies only `sanitize_key()` for sanitization, and concatenates the value with `$wpdb->prefix` to form a full database table name. It then executes `DESC` and `SELECT *` queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed \u2014 the `tablemanager_created_tables` option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables."}], "title": "Table Manager <= 1.0.0 - Authenticated (Contributor+) Sensitive Information Exposure via 'table' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25b3607c-f99e-4359-8228-0f3452f80aac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L573"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L573"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L572"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L572"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L561"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L561"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-04-21T19:09:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:25:36.373656Z", "id": "CVE-2026-4126", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:31:46.501Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4126", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T15:25:36.373656Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:25:39.975Z"}}], "cna": {"title": "Table Manager <= 1.0.0 - Authenticated (Contributor+) Sensitive Information Exposure via 'table' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "primisdigital", "product": "Table Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-21T19:09:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25b3607c-f99e-4359-8228-0f3452f80aac?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L573"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L573"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L572"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L572"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L561"}, {"url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L561"}], "descriptions": [{"lang": "en", "value": "The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanager_render_table_shortcode()` takes a user-controlled `table` attribute, applies only `sanitize_key()` for sanitization, and concatenates the value with `$wpdb->prefix` to form a full database table name. It then executes `DESC` and `SELECT *` queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed \u2014 the `tablemanager_created_tables` option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:32.552Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4126", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:31:46.501Z", "dateReserved": "2026-03-13T13:54:47.624Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-22T07:45:32.552Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Table Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.0 via the 'table_manager' shortcode. The shortcode handler `tablemanager_render_table_shortcode()` takes a user-controlled `table` attribute, applies only `sanitize_key()` for sanitization, and concatenates the value with `$wpdb->prefix` to form a full database table name. It then executes `DESC` and `SELECT *` queries against this table and renders all rows and columns to the frontend. There is no allowlist check to ensure only plugin-created tables can be accessed \u2014 the `tablemanager_created_tables` option is only referenced in admin functions, never in the shortcode handler. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from arbitrary WordPress database tables."}], "id": "CVE-2026-4126", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:23.777", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L561"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L572"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/table-manager/tags/1.0.0/table-manager.php#L573"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L561"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L572"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/table-manager/trunk/table-manager.php#L573"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25b3607c-f99e-4359-8228-0f3452f80aac?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Table Manager", "source": "cna", "vendor": "primisdigital"}, "product": "table_manager", "vendor": "primisdigital"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T09:28:10.490909+00:00", "value": {"mitigation_remediation": ["Upgrade primisdigital\u2019s Table Manager to the latest version that removes the vulnerability.", "Restrict the use of the table_manager shortcode by editing user roles so that only administrators can add or edit posts containing it.", "If upgrading immediately is not possible, disable the Table Manager plugin or remove it entirely from the site to eliminate the vulnerable code path."], "summary": {"action": "Update", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "All installations of primisdigital\u2019s Table Manager plugin with a version of 1.0.0 or earlier are affected. The vulnerability exists in the default deployment of the plugin and is not limited to any particular WordPress installation configuration.", "description_and_impact": "The Table Manager WordPress plugin contains a flaw that allows an authenticated user with Contributor level or higher to reveal arbitrary database content. The plugin\u2019s shortcode processor accepts a \"table\" parameter, sanitizes it only with a key validation routine, then combines it with the database prefix and runs a DESCRIBE command followed by a SELECT * on the resulting table. Because the processor does not enforce an allow\u2011list of plugin\u2011created tables, an attacker can specify any table name and have its entire contents exposed on the front end.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate risk, and the exploitation likelihood is not quantified due to missing EPSS data. The attack requires authenticated access at the Contributor level, which many sites assign to content editors. Once authenticated, an attacker can embed the malicious shortcode in a post or page they can edit and trigger a direct leak of arbitrary database table data to any viewer of that content. The plugin is not listed in the CISA KEV catalog, so there is no formal indication of active exploitation at this time."}}}}, "created": "2026-04-22T09:30:13.557625+00:00", "updated": "2026-04-22T11:44:19.359498+00:00", "vendors": ["primisdigital", "primisdigital$PRODUCT$table_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}