Home

Description

The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full site takeover (e.g. by deleting wp-config.php).

PUBLISHED Reserved 2026-06-08 | Published 2026-07-14 | Updated 2026-07-14 | Assigner WPScan

Problem types

CWE-73 External Control of File Name or Path

CWE-352 Cross-Site Request Forgery (CSRF)

Product status

Default status
unknown

Any version
affected

Credits

Muni Nitish Kumar Yaddala finder

WPScan coordinator

References

wpscan.com/...rability/7f4b5f16-6c31-4dcc-94a4-120cb45631bb/ exploit vdb-entry technical-description

cve.org (CVE-2026-11563)

nvd.nist.gov (CVE-2026-11563)

Download JSON