Description
Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework <= 5.11.1 versions.
Published: 2026-06-15
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Meta Box – WordPress Custom Fields Framework plugin contains an arbitrary file deletion flaw that allows a contributor to delete any file on the server. This vulnerability is classified as CWE‑22 and carries a CVSS score of 6.8, indicating a moderate severity. An attacker who can gain access to the plugin’s administration functions could specify an arbitrary file path and trigger its deletion, potentially removing critical configuration files or user data.

Affected Systems

Affected products include the Meta Box – WordPress Custom Fields Framework plugin from eLightUp for all releases up to and including version 5.11.1. The vulnerability applies to any WordPress installation that has this plugin installed and has users with at least contributor privileges.

Risk and Exploitability

The EPSS score is less than 1%, indicating a low current exploit probability, and the vulnerability is not listed in CISA’s KEV catalog. However, the existence of the flaw means that once an authenticated user can use the deletion function, the impact is permanent file loss. The exploit path requires a web‑based interaction with the plugin, suggesting that the attack vector is web‑based and depends on user credentials with delete capabilities. Given the CVSS score, an attacker could cause significant disruption if the deleted files are essential to the site’s operation.

Generated by OpenCVE AI on June 17, 2026 at 23:03 UTC.

Remediation

Vendor Solution

Update the WordPress Meta Box – WordPress Custom Fields Framework Plugin to the latest available version (at least 5.11.2).


OpenCVE Recommended Actions

  • Update the Meta Box – WordPress Custom Fields Framework plugin to version 5.11.2 or higher.
  • Remove or restrict the file deletion capability for contributor users, or assign them a role that lacks this permission.
  • Ensure the server’s file system permissions for the WordPress installation are as restrictive as possible, preventing unauthenticated or unintended file deletions.

Generated by OpenCVE AI on June 17, 2026 at 23:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Elightup
Elightup meta Box – Wordpress Custom Fields Framework
Wordpress
Wordpress wordpress
Vendors & Products Elightup
Elightup meta Box – Wordpress Custom Fields Framework
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework <= 5.11.1 versions.
Title WordPress Meta Box – WordPress Custom Fields Framework plugin <= 5.11.1 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H'}


Subscriptions

Elightup Meta Box – Wordpress Custom Fields Framework
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T14:24:05.282Z

Reserved: 2026-04-07T10:41:57.169Z

Link: CVE-2026-39468

cve-icon Vulnrichment

Updated: 2026-06-16T14:24:00.810Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:43.607

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-39468

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:57Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')