{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9616", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-05-26T16:34:57.133Z", "datePublished": "2026-06-24T05:33:28.406Z", "dateUpdated": "2026-06-24T05:33:28.406Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-06-24T05:33:28.406Z"}, "affected": [{"vendor": "verenigingvanregistrars", "product": "Generate Security.txt", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Generate Security.txt plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the site's security.txt file from the server filesystem or create the .well-known directory by directly invoking the delete_securitytxt or create_wellknown_folder AJAX actions."}], "title": "Generate Security.txt <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Security.txt Deletion via delete_securitytxt AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8d88cc2-91e4-4e53-8c46-93d6ce8bc320?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.12/admin/class-generate-security-txt-admin.php#L1963"}, {"url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.12/admin/class-generate-security-txt-admin.php#L1930"}, {"url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.12/admin/class-generate-security-txt-admin.php#L174"}, {"url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.11/admin/class-generate-security-txt-admin.php#L1963"}, {"url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.11/admin/class-generate-security-txt-admin.php#L1930"}, {"url": "https://plugins.trac.wordpress.org/browser/generate-security-txt/tags/1.0.11/admin/class-generate-security-txt-admin.php#L174"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Benedictus Jovan"}], "timeline": [{"time": "2026-06-23T16:40:38.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{}

{}

{}