CVE-2026-39468

Vulnerability

The Meta Box – WordPress Custom Fields Framework plugin suffers from an arbitrary file deletion vulnerability in versions 5.11.1 and earlier. The flaw arises from insufficient validation of file paths when handling contributor-level requests, allowing authenticated users with Contributor access to delete arbitrary files on the server [1].

Exploitation

An authenticated attacker with a Contributor-level account on a WordPress site running the vulnerable plugin can exploit this vulnerability. The attacker sends a crafted request specifying the path of a file to be deleted. No special privileges beyond Contributor access are required, and the attack does not require user interaction from other roles [1].

Impact

Successful exploitation allows the attacker to delete arbitrary files from the WordPress installation. If critical core, plugin, or theme files are deleted, the site may become non-functional or suffer data loss. The vulnerability could be leveraged in mass-exploit campaigns to compromise thousands of sites at once [1].

Mitigation

The vulnerability is fixed in version 5.11.2 of the plugin, released on 2026-06-15. Administrators should update immediately to version 5.11.2 or later. For those unable to update, Patchstack provides a mitigation rule to block attacks until the update is applied [1].