CVE-2026-11563
Unknown · Word Count and Social Shares
The Word Count and Social Shares WordPress plugin contains a file deletion vulnerability due to insufficient validation and authorization checks.
Executive summary
This critical vulnerability allows authenticated users to delete arbitrary files on the server, potentially leading to a complete site takeover.
Vulnerability
The plugin fails to validate user-supplied file paths and lacks necessary authorization or CSRF protections. This permits an authenticated user, such as one with Subscriber privileges, to delete critical system files like wp-config.php.
Business impact
Successful exploitation of this flaw can result in total loss of site availability and integrity. Because the vulnerability allows for the deletion of core configuration files, an attacker could effectively disable the entire WordPress instance or trigger a site reset. With a CVSS score of 9.6, this represents a severe risk to organizational operations and data integrity.
Remediation
Immediate Action: Since no specific patch version is currently identified, administrators should immediately deactivate and uninstall the Word Count and Social Shares plugin until a secure version is released by the developer.
Proactive Monitoring: Review web server access logs for unusual requests targeting configuration files or file deletion patterns.
Compensating Controls: Implement a Web Application Firewall (WAF) rule to block requests to sensitive system files and restrict access to plugin administrative functions.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Given the potential for full site compromise and the existence of a proof-of-concept, this vulnerability poses a significant threat. Administrators must prioritize the removal of the affected software immediately to prevent unauthorized file manipulation.