Description
The Generate Security.txt plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the site's security.txt file from the server filesystem or create the .well-known directory by directly invoking the delete_securitytxt or create_wellknown_folder AJAX actions.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an authorization bypass that allows authenticated users with subscriber or higher privileges to delete the site’s security.txt file from the server filesystem or create the .well‑known directory by directly invoking the delete_securitytxt or create_wellknown_folder AJAX actions. This bypass violates the expected capability checks, leading to a loss of an important security document and potentially exposing the site to misinformation or misconfiguration. The weakness is classified as CWE‑862, Missing Authorization.

Affected Systems

The issue affects installations of the WordPress “Generate Security.txt” plugin from the vendor verenigingvanregistrars, specifically all versions up to and including 1.0.12.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact. Because the vulnerability requires the attacker to be authenticated, the likelihood of exploitation depends on the presence of susceptible subscriber‑level accounts. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The attack vector is inferred to be a legitimate logged‑in user making a crafted AJAX request, as the plugin does not enforce proper permission checks on those actions.

Generated by OpenCVE AI on June 24, 2026 at 09:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Generate Security.txt plugin to the most recent version that removes the unauthorized AJAX actions.
  • If an update is not available, modify the plugin’s code to enforce appropriate capability checks (e.g., is_user_logged_in() and current_user_can( 'edit_posts' ) ) before performing delete_securitytxt or create_wellknown_folder.
  • Disable or remove the plugin entirely if it is not required for the site’s operations.
  • Restrict subscriber‑level users from having administrative or privileged capabilities that could be abused via AJAX calls.
  • Ensure WordPress file permissions are set to prevent non‑privileged processes from modifying the server’s filesystem.

Generated by OpenCVE AI on June 24, 2026 at 09:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Generate Security.txt plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the site's security.txt file from the server filesystem or create the .well-known directory by directly invoking the delete_securitytxt or create_wellknown_folder AJAX actions.
Title Generate Security.txt <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Security.txt Deletion via delete_securitytxt AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-24T05:33:28.406Z

Reserved: 2026-05-26T16:34:57.133Z

Link: CVE-2026-9616

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:15:06Z

Weaknesses