PatchSiren cyber security CVE debrief
CVE-2026-11563 WordPress CVE debrief
The CVE record for CVE-2026-11563 was published on 2026-07-14T06:16:48.873Z and has not been modified since then. The NVD entry is currently marked as Received. This vulnerability affects the Word Count and Social Shares WordPress plugin through version 1.0, allowing any authenticated user to delete arbitrary files due to lack of validation, authorization, and CSRF checks. Successful exploitation could lead to a full site takeover by deleting critical files like wp-config.php. Users of the affected plugin, particularly those with Subscriber-level access, should be aware of this vulnerability and take steps to protect their sites.
- Vendor
- WordPress
- Product
- Word Count and Social Shares WordPress plugin
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Users of the Word Count and Social Shares WordPress plugin, particularly those with Subscriber-level access, should be aware of this vulnerability and take steps to protect their sites. Site administrators and security teams managing WordPress installations with this plugin should prioritize remediation efforts to prevent potential site takeovers.
Technical summary
The Word Count and Social Shares WordPress plugin through version 1.0 does not validate user-supplied file paths before deletion and lacks proper authorization and CSRF checks. This allows any authenticated user, such as a Subscriber, to delete arbitrary files on the server. If an attacker deletes critical files like wp-config.php, it could lead to a full site takeover. Site administrators should prioritize updating the plugin or implementing compensating controls to mitigate this vulnerability.
Defensive priority
High priority for WordPress site administrators using the affected plugin, especially those with active Subscriber accounts, to prevent potential site takeovers through arbitrary file deletion.
Recommended defensive actions
- Immediately update the Word Count and Social Shares plugin to a version that fixes this vulnerability, if available.
- Restrict file deletion capabilities to trusted roles only.
- Implement additional monitoring for unauthorized file deletions.
- Consider temporarily disabling the plugin until a patch is applied.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
Evidence is limited; primary official records indicate a vulnerability exists in the Word Count and Social Shares WordPress plugin through version 1.0, which does not validate user-supplied file paths before deletion and lacks proper authorization and CSRF checks. This allows any authenticated user, such as a Subscriber, to delete arbitrary files on the server. Further verification is recommended to assess affected scope, potential impact, and validate vendor guidance.
Official resources
-
CVE-2026-11563 CVE record
CVE.org
-
CVE-2026-11563 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T06:16:48.873Z and has not been modified since then. The NVD entry is currently Received.