Security Alert Summary
The midi-Synth plugin for WordPress contains a vulnerability that allows unauthenticated arbitrary file uploads via the plugin’s export AJAX action. Missing file type and extension validation combined with a frontend-exposed nonce can allow an attacker to upload files to the site server, which may make remote code execution possible if a valid nonce is obtained.
CVE Details
- CVE ID: CVE-2026-1306
- Affected plugin / component: midi-Synth plugin for WordPress
- Affected versions: All versions up to, and including, 1.1.0
- Published: February 14, 2026 at 7:16:10 AM UTC
- Last modified: February 14, 2026 at 7:16:10 AM UTC
- CVSS v3.1: Base Score 9.8, Severity: CRITICAL
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector: NETWORK
- Attack Complexity: LOW
- Privileges Required: NONE
- User Interaction: NONE
- Scope: UNCHANGED
- Primary impact: Confidentiality: HIGH, Integrity: HIGH, Availability: HIGH
- CWE / weakness: CWE-434 (Unrestricted Upload of File with Dangerous Type)
Technical Details
The vulnerability exists because the plugin’s export AJAX action does not validate uploaded file types or file extensions. An unauthenticated attacker can send file upload requests to this action. The CVE description states that a nonce is required for the action, but that nonce is exposed in frontend JavaScript and therefore is trivially accessible to unauthenticated attackers. Because file type and extension checks are missing, attackers can upload arbitrary files to the web server.
The practical impact of the missing validation is the placement of attacker-supplied files on the site. If an uploaded file is executable by the web server (for example, a PHP file on a server that processes PHP), this can enable remote code execution. The CVE does not specify exact file paths or function names beyond the export AJAX action, and it does not state a fixed version in which the issue is resolved.
How This Could Impact Your Website
Imagine a small WordPress site where the site owner installs midi-Synth and a content editor or external contractor occasionally interacts with frontend features. Because the nonce required for the upload action is exposed in frontend JavaScript, an unauthenticated attacker can craft requests to the export AJAX action and upload arbitrary files to the server. Uploaded files could enable attackers to execute code or access site data, which may lead to data exposure or modification.
Potential consequences include disclosure of site content or user data, increased risk of targeted phishing if internal email addresses or contact information are accessed, and unauthorized changes to site content or availability. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available (fixed version is not specified in the CVE entry).
- Review and reduce unnecessary user roles and capabilities, especially for contributors and other low-privilege accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unusual file uploads, unexpected new files in web-accessible directories, or suspicious HTTP requests targeting AJAX endpoints.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L110
- https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L121
- https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConvert.php#L421
- https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConvert.php#L492
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d5b695d7-c690-4748-b218-5699d1aa63bf?source=cve
