PT-2026-51697 · WordPress · Generate Security.Txt
Benedictus Jovan
·
Published
2026-06-24
·
Updated
2026-06-24
·
CVE-2026-9616
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Generate Security.txt plugin for WordPress versions prior to 1.0.13
Description
The plugin fails to properly verify user authorization for specific actions. This allows authenticated attackers with subscriber-level access or higher to delete the site's security.txt file from the server filesystem or create the .well-known directory. This is achieved by directly invoking the AJAX actions
delete securitytxt and create wellknown folder.Recommendations
Update the plugin to version 1.0.13 or later.
As a temporary workaround, restrict access to the
delete securitytxt and create wellknown folder AJAX actions for users with low-level privileges.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Generate Security.Txt