CVE-2026-11563
Word Count and Social Shares <= 1.0 - Subscriber+ Arbitrary File Deletion via Path Traversal
CVSS Score
9.6
EPSS Score
0.0%
EPSS Percentile
0th
The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full site takeover (e.g. by deleting wp-config.php).
| Vendor | unknown |
| Product | word count and social shares |
| Published | Jul 14, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown word count and social shares
Be the first to know when new critical vulnerabilities affecting unknown word count and social shares are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / Word Count and Social Shares
0 โค 1.0
References
Credits
Muni Nitish Kumar Yaddala WPScan