Impact
The Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field plugin (up to version 1.0.6) contains an unauthenticated flaw that allows deletion of arbitrary files on the web server. The issue arises from insufficient validation of file paths when the plugin handles file uploads or cleans up data, enabling an attacker to request deletion of any file that the web server can write to. This could result in loss of critical data, compromise of application files, or disturbance of site availability.
Affected Systems
WordPress sites that run the Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field plugin version 1.0.6 or earlier are vulnerable. The plugin, developed by Satinder Singh, is available through the WordPress plugin repository.
Risk and Exploitability
The CVSS base score of 8.6 indicates high severity, while the EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. It can be triggered without authentication; the likely attack path involves sending a crafted HTTP request to the plugin’s file‑deletion endpoint, which does not require privileged credentials. Consequently, the risk remains high, though the predicted exploitation probability is low.
OpenCVE Enrichment