Skip to main content

Link Library CVE-2026-40779

| EUVDEUVD-2026-36986 HIGH
Path Traversal (CWE-22)
2026-06-15 Patchstack GHSA-fgx4-f7jh-8whq
7.7
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
7.7 HIGH

Network-reachable WordPress endpoint (AV:N), straightforward traversal (AC:L), needs contributor account (PR:L), no victim interaction (UI:N), deletes files outside plugin scope (S:C), only availability impacted (A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:08 vuln.today

DescriptionCVE.org

Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions.

AnalysisAI

Arbitrary file deletion in the Link Library WordPress plugin (versions 7.8.8 and earlier) allows authenticated contributors to delete arbitrary files on the server via a path traversal flaw. Reported by Patchstack and tracked as EUVD-2026-36986, the issue enables low-privileged authors of WordPress content to disrupt site availability by removing critical files such as wp-config.php; no public exploit identified at time of analysis.

Technical ContextAI

Link Library is a WordPress plugin by Yannick Lefebvre (CPE cpe:2.3:a:yannick_lefebvre:link_library) used to manage and display link directories on WordPress sites. The flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal), meaning a file-handling routine in the plugin accepts attacker-controlled path input without canonicalizing or restricting it to an allowed directory, letting traversal sequences resolve to files outside the intended scope. Because WordPress contributor accounts can typically be obtained on sites that allow open registration or via compromised low-tier accounts, the traversal primitive becomes reachable from a normal authenticated plugin endpoint rather than an admin-only one.

RemediationAI

Upstream fix available per the Patchstack advisory; a released patched version is not independently confirmed in the provided data, so WordPress administrators should monitor the plugin page and upgrade Link Library to the first version above 7.8.8 as soon as it is published, consulting https://patchstack.com/database/wordpress/plugin/link-library/vulnerability/wordpress-link-library-plugin-7-8-8-arbitrary-file-deletion-vulnerability for the exact fixed release. As compensating controls while waiting for or unable to apply the patch, deactivate the Link Library plugin entirely (loses link-directory functionality on the site), restrict contributor account creation by disabling open registration in WordPress general settings (prevents anonymous attackers from acquiring the needed role at the cost of friction for legitimate contributors), audit existing contributor and author accounts and demote or remove any that are not strictly required, and place the WordPress admin area behind a virtual patch via a WAF rule blocking the vulnerable plugin endpoint (may require Patchstack or similar managed rules and can interfere with legitimate plugin AJAX calls).

Share

CVE-2026-40779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy