Create DB Tables WordPress Plugin Authorization Bypass Vulnerability Allowing Arbitrary Database Table Manipulation

A vulnerability exists in the Create DB Tables plugin for WordPress, in all versions up to and including 1.2.1. The issue stems from an authorization bypass that allows authenticated users, including those with Subscriber-level access, to create and delete arbitrary database tables. This is possible because the plugin's admin_post action hooks for table creation and deletion do not include any capability checks or nonce verification. Exploitation of this vulnerability could lead to the deletion of critical WordPress core tables, such as wp_users or wp_options, potentially destroying the entire WordPress installation.

Impact

Exploitation of this vulnerability allows for unauthorized creation and deletion of database tables by authenticated users with Subscriber-level access or higher. This could result in the loss of important WordPress data and functionality, especially if core database tables are targeted.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access can send a request to the WordPress site that includes the 'action' parameter set to 'delete_db_table' or 'add_table' via the admin-post.php endpoint. For table deletion, the 'db_table' parameter must be included with the name of the table to be deleted. For table creation, the 'table_name' parameter must be provided, along with any desired row definitions.