PatchSiren cyber security CVE debrief
CVE-2026-39468 eLightUp CVE debrief
CVE-2026-39468 is a medium-severity vulnerability in the Meta Box – WordPress Custom Fields Framework plugin, allowing contributors to delete arbitrary files. The vulnerability has a CVSS score of 6.8 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-39468).
- Vendor
- eLightUp
- Product
- Meta Box – WordPress Custom Fields Framework
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of the Meta Box – WordPress Custom Fields Framework plugin, particularly those allowing contributor roles, should be aware of this vulnerability.
Technical summary
The vulnerability, identified as CWE-22, allows contributors to delete arbitrary files due to improper handling of file paths. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H.
Defensive priority
MEDIUM
Recommended defensive actions
- Update the Meta Box – WordPress Custom Fields Framework plugin to a version beyond 5.11.1.
- Restrict file deletion capabilities to trusted roles.
- Monitor for suspicious file deletion activities.
Evidence notes
Evidence suggests that the vulnerability was discovered and reported by Patchstack (see [ref-4](https://patchstack.com/database/wordpress/plugin/meta-box/vulnerability/wordpress-meta-box-wordpress-custom-fields-framework-plugin-5-11-1-arbitrary-file-deletion-vulnerability?_s_id=cve)).
Official resources
-
CVE-2026-39468 CVE record
CVE.org
-
CVE-2026-39468 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
CVE-2026-39468 was published on 2026-06-15T21:16:43.607Z and modified on 2026-06-15T21:24:32.790Z.