Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Network-reachable WordPress endpoint (AV:N), straightforward traversal (AC:L), needs contributor account (PR:L), no victim interaction (UI:N), deletes files outside plugin scope (S:C), only availability impacted (A:H).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions.
AnalysisAI
Arbitrary file deletion in the Link Library WordPress plugin (versions 7.8.8 and earlier) allows authenticated contributors to delete arbitrary files on the server via a path traversal flaw. Reported by Patchstack and tracked as EUVD-2026-36986, the issue enables low-privileged authors of WordPress content to disrupt site availability by removing critical files such as wp-config.php; no public exploit identified at time of analysis.
Technical ContextAI
Link Library is a WordPress plugin by Yannick Lefebvre (CPE cpe:2.3:a:yannick_lefebvre:link_library) used to manage and display link directories on WordPress sites. The flaw is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal), meaning a file-handling routine in the plugin accepts attacker-controlled path input without canonicalizing or restricting it to an allowed directory, letting traversal sequences resolve to files outside the intended scope. Because WordPress contributor accounts can typically be obtained on sites that allow open registration or via compromised low-tier accounts, the traversal primitive becomes reachable from a normal authenticated plugin endpoint rather than an admin-only one.
RemediationAI
Upstream fix available per the Patchstack advisory; a released patched version is not independently confirmed in the provided data, so WordPress administrators should monitor the plugin page and upgrade Link Library to the first version above 7.8.8 as soon as it is published, consulting https://patchstack.com/database/wordpress/plugin/link-library/vulnerability/wordpress-link-library-plugin-7-8-8-arbitrary-file-deletion-vulnerability for the exact fixed release. As compensating controls while waiting for or unable to apply the patch, deactivate the Link Library plugin entirely (loses link-directory functionality on the site), restrict contributor account creation by disabling open registration in WordPress general settings (prevents anonymous attackers from acquiring the needed role at the cost of friction for legitimate contributors), audit existing contributor and author accounts and demote or remove any that are not strictly required, and place the WordPress admin area behind a virtual patch via a WAF rule blocking the vulnerable plugin endpoint (may require Patchstack or similar managed rules and can interfere with legitimate plugin AJAX calls).
More in Link Library
View allImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yannick Lefebvre L
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Yannick Lefebvre L
The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'll_reciprocal' parameter in
The Link Library plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the searchll parameter in all
The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'link-library' short
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Yannick Lef
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Yannick Lef
Cross-Site Request Forgery (CSRF) vulnerability in Yannick Lefebvre Link Library.5.13. Rated medium severity (CVSS 4.3),
The Link Library plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'searchll' parameter in al
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36986
GHSA-fgx4-f7jh-8whq