Critical (9.8)

CVE-2026-1306

The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1...

CVSS Score 9.8

Overview

A critical security vulnerability has been identified in the midi-Synth plugin for WordPress. This flaw allows unauthenticated attackers to upload any file type directly to a vulnerable website’s server, creating a severe risk of complete site compromise.

Vulnerability Details

The vulnerability exists in the plugin’s ‘export’ feature. In all versions up to and including 1.1.0, the code does not properly check the type or extension of files being uploaded. This lack of validation is compounded by a second critical issue: the security token (nonce) required to perform this action is not adequately protected. The token is embedded in the website’s public-facing JavaScript code, making it easily accessible to any site visitor, even without a login.

In simple terms, this creates an open door. An attacker can visit the site, copy the token from the page source, and then use it to upload malicious files, such as a web shell, directly to your server.

Potential Impact

The impact of this vulnerability is severe (CVSS Score: 9.8/10, CRITICAL). Successful exploitation can lead to:

  • Remote Code Execution (RCE): An attacker can upload a script that gives them full control over your web server.
  • Website Defacement: Attackers can replace or alter your website’s pages.
  • Data Theft: They can access sensitive information from your database or server files.
  • Malware Distribution: Your site could be used to host and spread malware to your visitors.
  • Further Network Intrusion: The compromised server can be used as a foothold to attack other systems within your network.

Remediation and Mitigation Steps

Immediate action is required to secure affected websites.

1. Primary Solution: Update or Remove the Plugin

  • Update: Check if the plugin developer has released a patched version (above 1.1.0). If a patch is available, update the plugin immediately.
  • Remove: If you do not actively use this plugin, or if a patch is not yet available, completely deactivate and delete it from your WordPress site. This is the most effective immediate mitigation.

2. Compromise Assessment: If your site was running the vulnerable version, assume it may have been compromised. You should:

  • Scan your website’s files for recently uploaded or suspicious files (e.g., .php, .phtml, .txt files in upload directories that you don’t recognize).
  • Review server and WordPress access/error logs for unusual activity around the /wp-admin/admin-ajax.php endpoint.
  • Consider a professional security audit.

3. General Security Hygiene:

  • Maintain a regular schedule for updating all WordPress plugins, themes, and the core installation.
  • Implement a web application firewall (WAF) which can help block malicious file upload attempts.
  • Ensure you have recent, restorable backups of your entire website and database.

Affected Software: midi-Synth WordPress plugin versions <= 1.1.0.