CVE-2026-1306

midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action

CVSS 9.8 CRITICALEPSS 4.5%CWE-434

Vexday Risk Score

43Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.8EPSS 4.5%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

14 Feb 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

adminkov · midi-Synth

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConvert.php#L421 https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConvert.php#L492 https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L110 https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L121 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460788%40midi-synth&new=3460788%40midi-synth&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/d5b695d7-c690-4748-b218-5699d1aa63bf?source=cve