The Word Count and Social Shares WordPress plugin through 1.0 does not validate a user-supplied file path before deletion, nor does it have proper authorization or CSRF checks, allowing any authenticated user, such as a Subscriber, to delete arbitrary files on the server, which can lead to a full site takeover (e.g. by deleting wp-config.php).
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Word Count and Social Shares WordPress plugin through version 1.0 contains a critical arbitrary file deletion vulnerability that allows authenticated users—even those with minimal Subscriber privileges—to delete arbitrary files from the server without proper authorization checks or CSRF protection. By exploiting missing input validation on file paths, attackers can systematically destroy critical WordPress files such as wp-config.php, resulting in complete site compromise and takeover. This vulnerability is particularly dangerous because it requires only basic authentication access, meaning compromised low-privilege accounts or insider threats can cause catastrophic damage to WordPress installations.
While this specific CVE currently maps to zero MITRE ATT&CK techniques in the Casky.ai framework, practitioners using Claude AI with extended reasoning capabilities would identify the underlying attack pattern as Resource Destruction (T1531) combined with Abuse of Functionality (T1abuse). Casky's security skills would detect behavioral indicators such as: suspicious file deletion requests from low-privilege user accounts, unauthorized wp-config.php access attempts, unexpected DELETE operations targeting critical WordPress directories, and authorization bypass patterns where Subscriber-level roles perform administrative file operations. Security teams monitoring WordPress activity would see these anomalies surface through Casky's threat detection, allowing them to correlate plugin vulnerabilities with exploitation attempts before site-critical files are removed.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11563. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation