cbcvebase.
CVE-2026-1306
published 2026-02-14

CVE-2026-1306: The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action…

PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.46%
90.2th percentile
The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers.

Affected

1 ranges
VendorProductVersion rangeFixed in
adminkovmidi-synth<= 1.1.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-content/plugins/midi-synth/sound/
commandaction=export&nonce={{nonce}}&fileName={{randstr}}.txt&fileMidi={{base64("{{randstr}}")}}}
othervar midiSynth_nonce = "([a-z0-9]+)"
  • Monitor POST requests to /wp-admin/admin-ajax.php with the parameter 'action=export' — this is the vulnerable AJAX action used to upload arbitrary files without authentication.
  • Alert on GET requests to /wp-content/plugins/midi-synth/sound/ for unexpected file extensions (e.g., .php, .txt) — uploaded files land in this directory and may be directly executed.
  • Detect nonce harvesting by looking for JavaScript responses containing the pattern 'var midiSynth_nonce' in page source — the nonce is exposed in frontend JavaScript and is trivially accessible to unauthenticated attackers.
  • Flag unauthenticated requests to admin-ajax.php carrying both 'action=export' and 'fileMidi=' parameters (base64-encoded file content), as this is the exact exploit payload pattern.
  • ·Exploitation requires a valid nonce, but this is a low barrier since the nonce is embedded in frontend JavaScript and accessible to unauthenticated users — do not rely on nonce secrecy as a mitigating control.
  • ·All versions up to and including 1.1.0 of the midi-Synth WordPress plugin are affected; ensure detection rules target this version range.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.