Authenticated attackers with Subscriber-level access can destroy the entire WordPress database due to missing authorization checks in the Create DB Tables plugin.

The plugin fails to perform capability checks or nonce verification on administrative actions, allowing any authenticated user to execute DROP TABLE or CREATE TABLE commands.

An attacker can delete critical WordPress tables, leading to permanent data loss and total site failure. With a CVSS score of 9.1, this represents a major threat to the availability and integrity of the site's data.

Immediate Action: Update the Create DB Tables plugin to the latest version.

Proactive Monitoring: Monitor database logs for unusual DROP or CREATE table queries performed by standard user accounts.

Compensating Controls: Use a WAF to restrict access to administrative admin-post.php actions for non-privileged users.

Public Exploit Available: false

Update the plugin immediately. Furthermore, audit user roles to ensure that only trusted administrators have access to potentially destructive administrative functions.