CVE-2026-9616 (GCVE-0-2026-9616)

Vulnerability from cvelistv5 – Published: 2026-06-24 05:33 – Updated: 2026-06-24 05:33
VLAI
Title
Generate Security.txt <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Security.txt Deletion via delete_securitytxt AJAX Action
Summary
The Generate Security.txt plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the site's security.txt file from the server filesystem or create the .well-known directory by directly invoking the delete_securitytxt or create_wellknown_folder AJAX actions.
Severity
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE
Assigner
References
Impacted products
Vendor Product Version
verenigingvanregistrars Generate Security.txt Affected: 0 , ≤ 1.0.12 (semver)
Create a notification for this product.
Credits
Benedictus Jovan
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Generate Security.txt",
          "vendor": "verenigingvanregistrars",
          "versions": [
            {
              "lessThanOrEqual": "1.0.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Benedictus Jovan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Generate Security.txt plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the site\u0027s security.txt file from the server filesystem or create the .well-known directory by directly invoking the delete_securitytxt or create_wellknown_folder AJAX actions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T05:33:28.406Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8d88cc2-91e4-4e53-8c46-93d6ce8bc320?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.12/admin/class-generate-security-txt-admin.php#L1963"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.12/admin/class-generate-security-txt-admin.php#L1930"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.12/admin/class-generate-security-txt-admin.php#L174"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.11/admin/class-generate-security-txt-admin.php#L1963"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.11/admin/class-generate-security-txt-admin.php#L1930"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.11/admin/class-generate-security-txt-admin.php#L174"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-23T16:40:38.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Generate Security.txt \u003c= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Security.txt Deletion via delete_securitytxt AJAX Action"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-9616",
    "datePublished": "2026-06-24T05:33:28.406Z",
    "dateReserved": "2026-05-26T16:34:57.133Z",
    "dateUpdated": "2026-06-24T05:33:28.406Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-9616",
      "date": "2026-06-24",
      "epss": "0.0024",
      "percentile": "0.14858"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.