External risk intelligence

Word Count and Social Shares Plugin Arbitrary File Deletion Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-11563

The vulnerability resides in a WordPress plugin. WordPress installations are commonly deployed as public-facing web applications, making the plugin's functionality and its associated attack surface reachable over the internet in standard web server deployments.

Cross-site Request Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability impacts a WordPress plugin, potentially allowing unauthorized users to delete critical files, which could lead to complete website compromise. The primary concern is confirming if this plugin is in use and if any exposure exists.

  • Allows deletion of any server files.
  • Affects website integrity and availability.
  • Confirm plugin usage and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by leveraging an authenticated user's access to delete arbitrary files on the server. This is possible because the plugin does not properly validate user-provided file paths before deletion and lacks essential security checks for authorization and cross-site request forgery. If an attacker successfully deletes critical files, such as the configuration file, it can result in a complete website takeover.

  • Authenticated user access required.
  • Deletes arbitrary files via file path.
  • Leads to full site takeover.

Live Threat

Current exploitation, exposure, and threat context

Authenticated users could delete arbitrary files on the server, potentially impacting site integrity and availability. This could occur when an authenticated user, such as a Subscriber, leverages the plugin's insufficient file path validation and authorization checks.

  • Arbitrary file deletion.
  • Unauthenticated file deletion.
  • Complete site takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in a WordPress plugin indicates that platform or web application teams are likely responsible for remediation, potentially in coordination with security teams to manage exposure. The first practical step is to identify all WordPress instances, confirm if this plugin is in use and accessible externally, and then determine the business criticality of each instance to prioritize efforts.

  • Platform/App owners should investigate.
  • Verify plugin usage and accessibility.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Word Count and Social Shares plugin?

This is a WordPress plugin designed to track content metrics, specifically word counts and social media engagement for posts. WordPress plugins are modular add-ons that extend the core functionality of a site; this specific tool integrates directly into the WordPress environment to display data to visitors or administrators.

How does CVE-2026-11563 allow file deletion?

The plugin suffers from an Improper Neutralization of Special Elements used in a Pathname vulnerability. Essentially, it fails to verify that the file path provided by a user is legitimate before processing a deletion request. Because it lacks checks to confirm who is allowed to perform this action, it permits a user to specify almost any file on the server for removal.

Does this vulnerability trigger automatically?

No. The flaw requires an active, authenticated user account on the WordPress site to initiate the request. It does not trigger via automated background processes or through simple public browsing. An attacker must successfully gain access to an account—even one with low-level subscriber privileges—to reach the vulnerable code path.

Is my site at risk according to Halo Surface Signal?

Yes, if you use this plugin, you are likely at risk. Halo Surface Signal identifies this as a significant concern because WordPress sites are typically deployed as public-facing web applications. Since the plugin's features are generally accessible over the internet, the vulnerable code is reachable by remote users, increasing the likelihood of successful exploitation.

What should I do first to manage this issue?

Start by auditing your WordPress environment to determine if the Word Count and Social Shares plugin is currently active. If you find it, confirm whether the site is accessible from the internet. Once you have identified all instances, review your site's operational needs to decide if the plugin can be safely removed or disabled until a secure update is available.

References