CVE-2026-11563 PUBLISHED

Word Count and Social Shares <= 1.0 - Subscriber+ Arbitrary File Deletion via Path Traversal

Assigner: WPScan
Reserved: 08.06.2026 Published: 14.07.2026 Updated: 14.07.2026

The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full site takeover (e.g. by deleting wp-config.php).

Product Status

Vendor Unknown
Product Word Count and Social Shares
Versions Default: unknown
  • affected from 0 to 1.0 (incl.)

Credits

  • Muni Nitish Kumar Yaddala finder
  • WPScan coordinator

References

Problem Types

  • CWE-73 External Control of File Name or Path CWE
  • CWE-352 Cross-Site Request Forgery (CSRF) CWE