Platform
wordpress
Component
meta-box
Fixed in
5.11.2
CVE-2026-39468 describes an arbitrary file access vulnerability discovered in the Meta Box plugin for WordPress. This flaw allows authenticated attackers, even those with Contributor-level access, to delete files on the server. The vulnerability impacts versions of Meta Box up to and including 5.11.1. A fix has been released in version 5.11.2.
The primary impact of CVE-2026-39468 is the ability for an authenticated attacker to delete arbitrary files on a WordPress server. While the vulnerability requires authentication (Contributor access or higher), this is a relatively low barrier to entry for many WordPress sites. The most critical consequence arises when an attacker deletes the wp-config.php file, which contains sensitive database credentials and configuration settings. Deletion of this file would effectively disable the WordPress site and potentially allow the attacker to gain control of the database. Further file deletions could lead to denial of service or the compromise of other sensitive data stored on the server.
CVE-2026-39468 was publicly disclosed on 2026-04-13. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The relatively low access requirements (Contributor role) combined with the potential for RCE through wp-config.php deletion warrants careful attention and prompt patching.
Exploit Status
CVSS Vector
The most effective mitigation for CVE-2026-39468 is to immediately upgrade the Meta Box plugin to version 5.11.2 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting file access permissions on the server to limit the impact of a successful exploit. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious file deletion attempts can provide an additional layer of defense. Monitor WordPress logs for unusual file deletion activity, particularly targeting wp-config.php.
Update to version 5.11.2, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-39468 is a HIGH severity vulnerability in the Meta Box WordPress plugin allowing authenticated users to delete files, potentially leading to remote code execution.
You are affected if you are using Meta Box version 5.11.1 or earlier. Upgrade to 5.11.2 or later to mitigate the risk.
Upgrade the Meta Box plugin to version 5.11.2 or later through the WordPress plugin management interface.
As of now, there are no confirmed reports of active exploitation, but the potential for RCE warrants prompt action.
Refer to the Meta Box plugin website and WordPress security announcements for the official advisory and further details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.