CVE-2026-11563 in Word Count and Social Shares Plugininfo

Summary

by MITRE • 07/14/2026

The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full site takeover (e.g. by deleting wp-config.php).

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/14/2026

The vulnerability in the Word Count and Social Shares WordPress plugin version 1.0 represents a critical security flaw that stems from inadequate input validation and insufficient access controls within the plugin's file deletion functionality. This issue exposes the plugin to arbitrary file deletion attacks, where authenticated users can manipulate the system to remove files from the server without proper authorization. The vulnerability specifically arises from the plugin's failure to validate user-supplied file paths before executing deletion operations, creating an attack surface that allows malicious actors to target critical system files. The lack of proper authorization checks means that even low-privileged users such as subscribers can exploit this weakness, fundamentally undermining the security model of WordPress installations that rely on role-based access controls.

The technical implementation of this vulnerability demonstrates a classic path traversal and privilege escalation flaw that aligns with CWE-22 Path Traversal and CWE-798 Use of Hard-coded Credentials. The plugin's code does not properly sanitize or validate file paths provided by users, allowing attackers to supply malicious input that bypasses normal file system access controls. This flaw particularly affects WordPress installations where the plugin is active, as it enables attackers with minimal privileges to execute destructive operations against the web server. The absence of Cross-Site Request Forgery (CSRF) protection further compounds the risk, eliminating any client-side safeguards that might otherwise prevent unauthorized actions from being performed on behalf of authenticated users.

The operational impact of this vulnerability extends far beyond simple file deletion capabilities, as it provides attackers with a pathway to achieve complete system compromise. When an attacker can delete critical files such as wp-config.php, they effectively eliminate the site's database connection configuration and potentially other essential components that prevent normal operation. This type of attack can lead to complete site takeover scenarios where the attacker gains control over all aspects of the WordPress installation, including access to user accounts, content management capabilities, and potential lateral movement within network environments. The vulnerability essentially transforms any authenticated user account into a potential vector for catastrophic system damage, making it particularly dangerous in multi-user environments where subscriber accounts may be compromised.

Security mitigations for this vulnerability should focus on implementing proper input validation, authorization checks, and CSRF protection mechanisms within the plugin's codebase. Organizations should immediately update to patched versions of the plugin if available, or implement temporary workarounds such as disabling the vulnerable functionality until a proper fix can be applied. The implementation of proper file path validation using whitelisting approaches or strict sanitization routines would prevent attackers from supplying malicious paths that could target system-critical files. Additionally, enforcing robust authorization controls and implementing CSRF tokens for all file operations would ensure that only properly authenticated users with appropriate privileges can perform destructive actions. Organizations should also consider monitoring for suspicious file deletion activities in their web server logs as an additional defensive measure against exploitation attempts. This vulnerability serves as a reminder of the critical importance of proper security practices within WordPress plugins, particularly concerning file system interactions and user privilege management, aligning with ATT&CK techniques that emphasize privilege escalation and persistence through file system manipulation.

The broader implications of this vulnerability highlight the need for comprehensive security testing of third-party WordPress plugins before deployment in production environments. Many plugin developers fail to implement proper security controls for file operations, leaving installations vulnerable to exploitation by threat actors who understand these common attack patterns. The ease with which a subscriber account can be leveraged to perform system-level destructive actions demonstrates how insufficient access controls can create pathways for attackers to escalate their privileges within WordPress installations. This type of vulnerability also underscores the importance of maintaining up-to-date security practices and regularly auditing plugin functionality for potential security weaknesses that could compromise entire web applications.

Responsible

WPScan

Reservation

06/08/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!