File Deletion Vulnerability in Word Count and Social Shares Plugin for WordPress
CVE-2026-11563
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 14 July 2026
Badges
What is CVE-2026-11563?
The Word Count and Social Shares plugin for WordPress versions up to 1.0 has a serious security issue where it fails to validate user-supplied file paths before performing deletions. This vulnerability allows authenticated users, such as those with Subscriber roles, to delete any file on the server, including critical files like wp-config.php. The absence of proper authorization and CSRF checks further exacerbates this risk, potentially leading to complete site takeovers. Website owners should immediately review this vulnerability and implement necessary updates to secure their installations.
Affected Version(s)
Word Count and Social Shares 0 <= 1.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.