Plattform
wordpress
Komponente
meta-box
Behoben in
5.11.2
CVE-2026-39468 describes an arbitrary file deletion vulnerability affecting the Meta Box plugin for WordPress. This flaw allows authenticated users with Contributor-level access or higher to delete files on the server, potentially leading to remote code execution. The vulnerability impacts versions of Meta Box up to and including 5.11.1, with a fix available in version 5.11.2.
The primary impact of CVE-2026-39468 is the ability for an authenticated attacker to delete arbitrary files on a WordPress server. While the vulnerability is classified as arbitrary file deletion, the potential for remote code execution is significant. Deleting the wp-config.php file, for example, would effectively disable the WordPress site and could allow an attacker to upload a malicious PHP script to gain full control. The ease of exploitation, requiring only Contributor-level access, broadens the attack surface considerably. This vulnerability shares similarities with other file deletion vulnerabilities where the deletion of critical configuration files can lead to complete system compromise.
CVE-2026-39468 was publicly disclosed on 2026-04-13. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's ease of exploitation suggests it could become a target for opportunistic attackers. It is not currently listed on the CISA KEV catalog. The relatively low access requirements (Contributor level) increase the likelihood of exploitation.
WordPress sites utilizing the Meta Box plugin, particularly those with a large number of users with Contributor-level access or higher, are at risk. Shared hosting environments where users have limited control over server file permissions are also particularly vulnerable. Sites relying on older, unpatched versions of Meta Box are most exposed.
• wordpress / composer / npm:
wp plugin list --status=active | grep 'Meta Box'• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status meta-box-plugin• wordpress / composer / npm:
find /var/www/html/wp-content/plugins/meta-box/ -type f -name '*delete.php*'disclosure
Exploit-Status
CVSS-Vektor
The primary mitigation for CVE-2026-39468 is to immediately upgrade the Meta Box plugin to version 5.11.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting file permissions on the WordPress server to limit the attacker's ability to delete sensitive files. Implement a Web Application Firewall (WAF) with rules to block suspicious file deletion requests. Monitor WordPress logs for unusual file deletion activity. After upgrading, verify the fix by attempting a file deletion operation with a Contributor-level user account to ensure the vulnerability is no longer exploitable.
Aktualisieren Sie auf Version 5.11.2 oder eine neuere gepatchte Version
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-39468 is a HIGH severity vulnerability in the Meta Box WordPress plugin allowing authenticated users to delete files, potentially leading to remote code execution.
You are affected if you are using Meta Box version 5.11.1 or earlier. Upgrade to 5.11.2 or later to mitigate the risk.
Upgrade the Meta Box plugin to version 5.11.2 or later through the WordPress plugin management interface.
As of now, there are no confirmed reports of active exploitation, but the potential for RCE warrants prompt action.
Refer to the Meta Box plugin website and WordPress security announcements for the official advisory and further details.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.