WordPress Plugin Vulnerabilities

Meta Box < 5.11.2 - Contributor+ Arbitrary File Deletion

Description

The plugin is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Plugin icon
meta-box
Fixed in 5.11.2

References

CVE
CVE-2026-39468
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c303fffe-628b-4e88-9274-7dd242f2186e

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Nguyen Ba Khanh
Verified
No
WPVDB ID
a3492097-81cf-4ab9-a137-9c5f303888fb

Timeline

Publicly Published
2026-04-13 (about 1 month ago)
Added
2026-04-22 (about 21 days ago)
Last Updated
2026-04-22 (about 21 days ago)

Other

Published
Title
Published
2024-07-01
Title
LA-Studio Element Kit for Elementor < 1.3.9 - Authenticated (Contributor+) Local File Inclusion
Published
2025-05-24
Title
WP Job Portal < 2.3.3 - Unauthenticated Arbitrary File Download
Published
2024-07-09
Title
Woocommerce OpenPos < 7.0.1 - Unauthenticated Arbitrary File Deletion
Published
2025-07-28
Title
Simple File List < 6.1.15 - Unauthenticated Arbitrary File Download
Published
2024-03-28
Title
SellKit < 1.8.3 - Authenticated (Subscriber+) Arbitrary File Download