EIP-2026-113508

PRE-CVE

WordPress Core < 4.9.6 - (Authenticated) Arbitrary File Deletion

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-113508. PoCs published by VulnSpy.

AI-analyzed exploit summary This exploit demonstrates an arbitrary file deletion vulnerability in WordPress <= 4.9.6 by leveraging the `thumb` parameter in `post.php` to manipulate file paths, followed by a deletion request. It requires valid authentication and nonces.

Description

WordPress Core < 4.9.6 - (Authenticated) Arbitrary File Deletion

Exploits (1)

exploitdb WORKING POC

by VulnSpy · textwebappsphp

https://www.exploit-db.com/exploits/44949

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file deletion vulnerability in WordPress <= 4.9.6 by leveraging the `thumb` parameter in `post.php` to manipulate file paths, followed by a deletion request. It requires valid authentication and nonces.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: WordPress <= 4.9.6

Auth required

Prerequisites: Valid WordPress admin credentials · Valid nonce values

MITRE ATT&CK

T1003.002 - Security Account Manager T1059.004 - Unix Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026