CVE-2026-40779
Description
WordPress Link Library plugin <=7.8.8 allows authenticated contributors to delete arbitrary files, causing potential site breakage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Link Library plugin <=7.8.8 allows authenticated contributors to delete arbitrary files, causing potential site breakage.
Vulnerability
The Link Library plugin for WordPress (version 7.8.8 and earlier) contains an arbitrary file deletion vulnerability exploitable by users with Contributor-level access. This occurs due to insufficient validation of file paths passed to the plugin's deletion functionality [1].
Exploitation
An attacker must first obtain a Contributor account on the target WordPress site. Using the plugin's interface or direct requests, they can supply a crafted file path to delete arbitrary files on the server [1]. No additional privileges or user interaction beyond the authenticated session are required.
Impact
Successful exploitation allows the attacker to delete any file on the web server, including WordPress core files, themes, plugins, or uploads. This can render the website inaccessible or completely broken [1].
Mitigation
Update the plugin to version 7.8.9 or later, which fixes the vulnerability. The vendor has released the patched version, and Patchstack also provides a mitigation rule to block exploitation attempts until the update is applied [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.