CVE-2026-40779: WordPress Link Library plugin <= 7.8.8 - Arbitrary File Deletion vulnerability
Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions.
Metrics
- CVSS v3.1
- 7.7
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary file deletion vulnerability affects the WordPress Link Library plugin versions 7.8.8 and earlier. The flaw is reachable over the network by any authenticated user with at least contributor-level access, requiring no victim interaction. Successful exploitation lets an attacker delete arbitrary files on the server, which can disrupt service availability or destroy critical application data. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-40779 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Link Library plugin.
AvailableHarborGuard scores this CVE at CVSS 7.7 HIGH and can weight findings against each customer environment's compliance policy, routing alerts to the appropriate team inbox based on configured severity thresholds and ownership rules.
AvailableNo upstream fix has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released upstream.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationRequired
The attacker must hold a valid WordPress account with at least contributor-level privileges; no admin account is needed.
- Victim interactionNot required
No victim action is required; the attacker can trigger the file deletion directly without social engineering or user participation.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race wins, or environmental factors.
Blast Radius
- Attacker deletes arbitrary files on the server filesystem, including WordPress core files, theme files, or plugin files.
- Deletion of critical configuration files (such as wp-config.php) renders the WordPress site inoperable, causing a full service outage.
- Persistent data such as uploaded media or configuration backups stored on the same filesystem can be permanently destroyed with no recovery path if backups are absent.
- The availability impact is rated HIGH, meaning the attacker reliably takes the affected service offline or into a broken state.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists for CVE-2026-40779, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment a fix version is published. In the meantime, customers can reduce exposure by applying network-policy controls that restrict public contributor-level access to the WordPress admin endpoints, enforcing the principle of least privilege to limit which accounts hold contributor roles, and using egress or filesystem-level restrictions to reduce the blast radius of unauthorized file operations. Customers whose compliance policy flags HIGH-severity unpatched findings will see this CVE surfaced in their HarborGuard dashboard and routed to the appropriate team inbox for manual review.
- Yannick Lefebvre / Link Library≤ 7.8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H