Link Library < 7.8.9 – Authenticated (Contributor+) Arbitrary File Deletion | CVE 2026-40779 | Plugin Vulnerabilities

Description

The Link Library plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 7.8.8. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

Affects Plugins

Fixed in 7.8.9

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/58f52ad6-02d0-4f34-af04-11c00fdcdae7

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Trương Hữu Phúc (truonghuuphuc)

Verified

No

WPVDB ID

ce930ce0-a5d5-4ec1-bc0d-a29bd2c663d6

Timeline

Publicly Published

2026-04-22 (about 2 months ago)

Added

2026-04-30 (about 1 month ago)

Last Updated

2026-04-30 (about 1 month ago)

Other

Published

Title

Published

2026-02-25

Title

Squeeze < 1.7.8 - Authenticated (Subscriber+) Directory Traversal

Published

2024-09-30

Title

Hello World < 2.2.0 - Authenticated (Subscriber+) Arbitrary File Read

Published

2025-04-10

Title

WPJobBoard < 5.11.1 - Authenticated (Subscriber+) Path Traversal

Published

2024-11-08

Title

WooCommerce Support Ticket System < 17.8 - Unauthenticated Arbitrary File Deletion

Published

2025-04-17

Title

StoreContrl Woocommerce < 4.1.4 - Unauthenticated Arbitrary File Download