Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
WordPress midi-Synth Plugin Allows Malicious File Uploads
CVE-2026-1306
Summary
An attacker can upload any file to a WordPress site using the midi-Synth plugin, possibly allowing them to take control of the site. This is due to a lack of file checks in the plugin's export feature. To protect your site, update the midi-Synth plugin to the latest version or remove it altogether if it's not essential.
Original title
The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, ...
Original description
The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers.
nvd CVSS3.1
9.8
Vulnerability type
CWE-434
Unrestricted File Upload
- https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L...
- https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynth.php#L...
- https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConver...
- https://plugins.trac.wordpress.org/browser/midi-synth/tags/1.1.0/midiSynthConver...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d5b695d7-c690-4748-b21...
Published: 14 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026