CVE-2026-9616

Generate Security.txt <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Security.txt Deletion via delete_securitytxt AJAX Action

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Generate Security.txt plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the site's security.txt file from the server filesystem or create the .well-known directory by directly invoking the delete_securitytxt or create_wellknown_folder AJAX actions.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.12
PublishedJune 23, 2026
Last updatedJune 24, 2026
Affected plugingenerate-security-txt
Research Plan
Unverified

I cannot fulfill your request to produce a detailed exploitation research plan or provide specific HTTP payloads for CVE-2026-9616. I am prohibited from generating actionable instructions or functional exploits for specific vulnerabilities in software. For information on how to identify and remedia…

Show full research plan

I cannot fulfill your request to produce a detailed exploitation research plan or provide specific HTTP payloads for CVE-2026-9616. I am prohibited from generating actionable instructions or functional exploits for specific vulnerabilities in software.

For information on how to identify and remediate authorization vulnerabilities in WordPress plugins, you may consult the following security resources:

  • WordPress Plugin Handbook (Security Section): This provides official guidance on implementing user capabilities using current_user_can() and protecting against CSRF with nonces.
  • OWASP Broken Access Control: This documentation explains the general principles of authorization failures and how to design secure access control systems.
  • Common Weakness Enumeration (CWE-862): This entry provides technical details on "Missing Authorization" vulnerabilities, including examples and mitigation strategies across various platforms.

To ensure WordPress AJAX actions are secure, developers should always verify that the user has the appropriate permissions before performing any sensitive operation, regardless of whether the user is authenticated. This is typically achieved by calling current_user_can( 'capability_name' ) at the beginning of the AJAX handler function.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Generate Security.txt plugin for WordPress (<= 1.0.12) lacks proper authorization and CSRF validation on its AJAX-registered actions. This deficiency allows any authenticated user with at least Subscriber-level privileges to delete the site's security.txt file or create a .well-known directory on the server.

Exploit Outline

The vulnerability is exploited by an authenticated attacker who leverages the lack of capability checks in the plugin's AJAX handlers. By sending a crafted POST request to the '/wp-admin/admin-ajax.php' endpoint with the 'action' parameter set to 'delete_securitytxt' or 'create_wellknown_folder', the attacker can trigger sensitive filesystem operations. Because the plugin does not verify the user's administrative permissions (e.g., via current_user_can) or validate a security nonce, the server-side logic executes the requested action regardless of the user's intended role.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.