A Broken Access Control vulnerability has been identified in the WordPress Surfer Plugin. This vulnerability allows an unprivileged user to perform actions that they are not authorized to do, such as deleting or modifying files.

This vulnerability was discovered and responsibly reported by Jonas Höbenreich.

The vulnerability is a Broken Access Control vulnerability that occurs in the class-post.php file. The vulnerability allows an unprivileged user to delete or modify files by specifying a specially crafted URL.


The vulnerability has a CVSS 3.1 score of 7.6, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

The vulnerability affects all versions of the Surfer Plugin prior to 1.9.1.


An attacker who successfully exploits this vulnerability could:

  • Delete or modify files on the website.
  • Change the website’s configuration.
  • Install malicious plugins or themes.

This could lead to a variety of security risks, such as:

  • Data theft
  • Website defacement
  • Denial of service attacks


Users of the Surfer Plugin are strongly advised to uninstall the plugin until a patched version is available.