CVE-2026-11563
The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have
CVSS
9.6
Crítico
EPSS
0.2%
p6
KEV
—
Exploit Today
2
0-100
Publicado: 14 jul 2026 · Última mod.: 14 jul 2026
0.1%EPSS · 30 días0.2%
2026-07-142026-07-17
The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full site takeover (e.g. by deleting wp-config.php).
Sin CVEs relacionados por CWE o producto.