CVE-2026-1306

CRITICAL NUCLEI

Midi-Synth <1.1.0 - Unauthenticated RCE

Title source: llm

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-1306. PoCs published by XiaomingX, adminlove520, richardpaimu34. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository lacks actual exploit code and instead redirects to an external download link (tinyurl.com). The README contains vague marketing language ('detection evasion', 'proxy support') without technical details about the vulnerability.

Description

The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers.

Exploits (4)

github SUSPICIOUS 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-1306

View Code ZIP pw:eip

The repository lacks actual exploit code and instead redirects to an external download link (tinyurl.com). The README contains vague marketing language ('detection evasion', 'proxy support') without technical details about the vulnerability.

Classification

Suspicious 95%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: unspecified

No auth needed

Prerequisites: none specified

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github WORKING POC 4 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-1306

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-1306, targeting the midi-Synth WordPress plugin. The exploit leverages an improper file type validation in the 'export' AJAX action to upload a malicious PHP shell, which is left on the server due to a cleanup failure when the API key validation fails.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: midi-Synth WordPress plugin (≤ 1.1.0)

No auth needed

Prerequisites: Target must have the midi-Synth plugin installed · A page with the [midiSynth] shortcode must be accessible to fetch the nonce

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 17, 2026 Full analysis →

nomisec SUSPICIOUS 2 stars

by richardpaimu34 · poc

https://github.com/richardpaimu34/CVE-2026-1306

View Code ZIP pw:eip

The repository lacks actual exploit code and instead redirects to an external download link (tinyurl.com). The README provides vague details about the exploit chain without technical depth, which is characteristic of social engineering lures.

Classification

Suspicious 95%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: unspecified

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC

by murrez · pythonpoc

https://github.com/murrez/CVE-2026-1306

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2026-1306, targeting the midi-Synth WordPress plugin. The exploit automates the extraction of a nonce from pages containing the [midiSynth] shortcode and leverages an insecure file upload vulnerability in the 'export' AJAX action to upload a malicious PHP shell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: midi-Synth WordPress plugin (≤ 1.1.0)

No auth needed

Prerequisites: Target must have the midi-Synth plugin installed · A page with the [midiSynth] shortcode must be accessible to extract the nonce

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 28, 2026 Full analysis →

Nuclei Templates (1)

WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload

CRITICALVERIFIEDby pussycat0x

References (6)

Core 6

Core References

Product

https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L110

Product

https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L121

Product

https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConvert.php#L421

Product

https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConvert.php#L492

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460788%40midi-synth&new=3460788%40midi-synth&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/d5b695d7-c690-4748-b218-5699d1aa63bf?source=cve

Scores

CVSS v3 9.8

EPSS 0.3145

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-434

Status published

Products (1)

adminkov/midi-Synth < 1.1.0

Published Feb 14, 2026

Tracked Since Feb 18, 2026