CVE-2026-1306
published 2026-02-14CVE-2026-1306: The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action…
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.46%
90.2th percentile
The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adminkov | midi-synth | <= 1.1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /wp-admin/admin-ajax.php with the parameter 'action=export' — this is the vulnerable AJAX action used to upload arbitrary files without authentication. ↗
- →Alert on GET requests to /wp-content/plugins/midi-synth/sound/ for unexpected file extensions (e.g., .php, .txt) — uploaded files land in this directory and may be directly executed. ↗
- →Detect nonce harvesting by looking for JavaScript responses containing the pattern 'var midiSynth_nonce' in page source — the nonce is exposed in frontend JavaScript and is trivially accessible to unauthenticated attackers. ↗
- →Flag unauthenticated requests to admin-ajax.php carrying both 'action=export' and 'fileMidi=' parameters (base64-encoded file content), as this is the exact exploit payload pattern. ↗
- ·Exploitation requires a valid nonce, but this is a low barrier since the nonce is embedded in frontend JavaScript and accessible to unauthenticated users — do not rely on nonce secrecy as a mitigating control. ↗
- ·All versions up to and including 1.1.0 of the midi-Synth WordPress plugin are affected; ensure detection rules target this version range. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload
nuclei·CVSS 9.8
CVE-2026-1306 [CRITICAL] WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload
WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload
WordPress midi-Synth plugin \u003C= 1.1.0 contains an unrestricted file upload vulnerability caused by missing file type and extension validation in the 'export' AJAX action, letting unauthenticated attackers upload arbitrary files and potentially execute remote code, exploit requires attacker to obtain a valid nonce exposed in frontend JavaScript.
Template:
id: CVE-2026-1306
info:
name: WordPress midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload
author: pussycat0x
severity: critical
description: |
WordPress midi-Synth plugin \u003C= 1.1.0 contains an unrestricted file upload vulnerability caused by missing file type and extension validation in the 'export' AJAX action, letting unauthenticated attackers upl
https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L110https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L121https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConvert.php#L421https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConvert.php#L492https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460788%40midi-synth&new=3460788%40midi-synth&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/d5b695d7-c690-4748-b218-5699d1aa63bf?source=cve
2026-02-14
Published