Skip to main content

Generate Security Txt

1 CVEs product

Monthly

CVE-2026-9616 MEDIUM This Month

Authorization bypass in the Generate Security.txt WordPress plugin (all versions through 1.0.12) allows authenticated attackers with subscriber-level access to delete the site's security.txt file or create the .well-known directory by invoking unprotected AJAX actions directly. The root cause is a failure to verify user capabilities before executing the delete_securitytxt and create_wellknown_folder AJAX handlers, a classic CWE-862 (Missing Authorization) pattern reported by Wordfence. No public exploit or CISA KEV listing has been identified at time of analysis, and with a CVSS score of 4.3 and limited integrity impact, this is a low-urgency but straightforward-to-exploit flaw for any authenticated WordPress user.

Authentication Bypass WordPress Generate Security Txt
NVD
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Generate Security.txt WordPress plugin (all versions through 1.0.12) allows authenticated attackers with subscriber-level access to delete the site's security.txt file or create the .well-known directory by invoking unprotected AJAX actions directly. The root cause is a failure to verify user capabilities before executing the delete_securitytxt and create_wellknown_folder AJAX handlers, a classic CWE-862 (Missing Authorization) pattern reported by Wordfence. No public exploit or CISA KEV listing has been identified at time of analysis, and with a CVSS score of 4.3 and limited integrity impact, this is a low-urgency but straightforward-to-exploit flaw for any authenticated WordPress user.

Authentication Bypass WordPress Generate Security Txt
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy