CVE-2026-1306

Critical

Published: 14 February 2026

Published

14 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2773 96.5th percentile

Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Description

The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers…

to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires identifying, reporting, and correcting the arbitrary file upload flaw in the midi-Synth WordPress plugin to eliminate the vulnerability.

SI-10 Information Input Validation good match

prevent

Mandates validation of file types and extensions at the 'export' AJAX input point to block unauthenticated arbitrary file uploads.

SI-3 Malicious Code Protection partial match

preventdetect

Deploys malicious code protection mechanisms to scan and block potentially exploitable uploaded files before they enable remote code execution.

Security SummaryAI

CVE-2026-1306 is an arbitrary file upload vulnerability in the midi-Synth plugin for WordPress, affecting all versions up to and including 1.1.0. The flaw arises from missing file type and file extension validation in the 'export' AJAX action, allowing attackers to upload arbitrary files to the affected site's server. Published on 2026-02-14, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity, as a required nonce is trivially accessible via exposure in frontend JavaScript. Successful exploitation enables uploading malicious files, which may lead to remote code execution on the server.

References include source code locations in midiSynth.php (lines 110 and 121) and midiSynthConvert.php (lines 421 and 492) from version 1.1.0, along with a plugin repository changeset (3460788), indicating areas of the vulnerable code and a potential patch commit.

Details

CWE(s): CWE-434

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

CVE-2026-1306 allows unauthenticated arbitrary file upload in a public-facing WordPress plugin, enabling exploitation of public-facing applications (T1190) and deployment of web shells for RCE (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L110
security@wordfence.com
https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L121
security@wordfence.com
https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConvert.php#L421
security@wordfence.com
https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConvert.php#L492
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460788%40midi-synth&new=3460788%40midi-synth&sfp_email=&sfph_mail=
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/d5b695d7-c690-4748-b218-5699d1aa63bf?source=cve
security@wordfence.com