Description
The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full site takeover (e.g. by deleting wp-config.php).
Published:
2026-07-14
Score:
n/a
EPSS:
n/a
KEV:
No
Impact:
n/a
Action:
n/a
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Tue, 14 Jul 2026 06:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full site takeover (e.g. by deleting wp-config.php). | |
| Title | Word Count and Social Shares <= 1.0 - Subscriber+ Arbitrary File Deletion via Path Traversal | |
| References |
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-14T06:00:02.086Z
Reserved: 2026-06-08T07:57:39.644Z
Link: CVE-2026-11563
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.