CVE-2026-1306
Arbitrary File Upload in midi-Synth WordPress Plugin Enables RCE
Publication date: 2026-02-14
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| midisynth | plugin | to 1.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The midi-Synth plugin for WordPress, up to and including version 1.1.0, is vulnerable to arbitrary file uploads because it lacks proper validation of file types and file extensions in its 'export' AJAX action.
This vulnerability allows unauthenticated attackers to upload any file to the affected website's server. The attack is facilitated by the exposure of a valid nonce in the frontend JavaScript, which attackers can easily access without authentication.
If an attacker successfully uploads malicious files, it may lead to remote code execution on the server, potentially compromising the entire site.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized file uploads by attackers, which can lead to remote code execution on your server.
- Attackers can upload malicious scripts or files that could be executed remotely.
- Compromise of the website's server integrity and confidentiality.
- Potential full site takeover or defacement.
- Exposure of sensitive data or disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves the midi-Synth WordPress plugin allowing unauthenticated arbitrary file uploads via the 'export' AJAX action, which uses a nonce exposed in frontend JavaScript. Detection can focus on monitoring HTTP requests to the affected WordPress site for suspicious POST requests to the AJAX export endpoint that include file upload data."}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts or presence of the vulnerability include:'}, {'type': 'list_item', 'content': "Using web server access logs, search for POST requests to admin-ajax.php with the action parameter related to 'export' or midiSynth export functionality."}, {'type': 'list_item', 'content': "Example command to search Apache/Nginx logs for suspicious export AJAX calls:\n\n grep 'POST .*admin-ajax.php' /var/log/apache2/access.log | grep 'action=export'"}, {'type': 'list_item', 'content': "Monitor for unexpected file uploads or new files in the plugin's sound directory or other writable directories on the server."}, {'type': 'list_item', 'content': 'Use WordPress security plugins or web application firewalls (WAF) to detect or block unauthorized AJAX export requests.'}, {'type': 'list_item', 'content': 'Check frontend JavaScript code for exposure of the nonce token which could be used by attackers.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for this vulnerability include:
- Update the midi-Synth plugin to a version later than 1.1.0 where the vulnerability is fixed, if available.
- If an update is not available, temporarily disable or deactivate the midi-Synth plugin to prevent exploitation.
- Restrict access to the AJAX export endpoint by implementing additional authentication or IP restrictions.
- Use a Web Application Firewall (WAF) to block unauthorized POST requests to the export AJAX action.
- Audit and remove any suspicious files uploaded to the server via this vulnerability.
- Review and secure nonce handling in the plugin to prevent exposure in frontend JavaScript.