Skip to main content

Word Count And Social Shares

1 CVEs product

Monthly

CVE-2026-11563 CRITICAL POC Act Now

Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list.

PHP CSRF WordPress Word Count And Social Shares
NVD WPScan
CVSS 3.1
9.6
EPSS
0.1%
EPSS 0% CVSS 9.6
CRITICAL POC Act Now

Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list.

PHP CSRF WordPress +1
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy