Description
Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi &#8211; Save Entries, File Upload &amp; Country Code Field <= 1.0.6 versions.
Published: 2026-06-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field plugin (up to version 1.0.6) contains an unauthenticated flaw that allows deletion of arbitrary files on the web server. The issue arises from insufficient validation of file paths when the plugin handles file uploads or cleans up data, enabling an attacker to request deletion of any file that the web server can write to. This could result in loss of critical data, compromise of application files, or disturbance of site availability.

Affected Systems

WordPress sites that run the Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field plugin version 1.0.6 or earlier are vulnerable. The plugin, developed by Satinder Singh, is available through the WordPress plugin repository.

Risk and Exploitability

The CVSS base score of 8.6 indicates high severity, while the EPSS score of less than 1 % indicates a low likelihood of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. It can be triggered without authentication; the likely attack path involves sending a crafted HTTP request to the plugin’s file‑deletion endpoint, which does not require privileged credentials. Consequently, the risk remains high, though the predicted exploitation probability is low.

Generated by OpenCVE AI on June 18, 2026 at 00:58 UTC.

Remediation

Vendor Solution

Update the WordPress Contact Form Extender for Divi &#8211; Save Entries, File Upload &amp; Country Code Field Plugin to the latest available version (at least 1.0.7).


OpenCVE Recommended Actions

  • Upgrade the Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field plugin to version 1.0.7 or later.
  • If an upgrade cannot be applied immediately, disable or remove the plugin from the WordPress site.
  • Restrict write and execute permissions on the plugin’s upload directories so that the web server cannot be prompted to delete arbitrary files.
  • Implement web application firewall rules to block suspicious file‑deletion requests targeting the plugin’s endpoints.

Generated by OpenCVE AI on June 18, 2026 at 00:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Satinder Singh
Satinder Singh contact Form Extender For Divi &#8211; Save Entries, File Upload &amp; Country Code Field
Wordpress
Wordpress wordpress
Vendors & Products Satinder Singh
Satinder Singh contact Form Extender For Divi &#8211; Save Entries, File Upload &amp; Country Code Field
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi &#8211; Save Entries, File Upload &amp; Country Code Field <= 1.0.6 versions.
Title WordPress Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field plugin <= 1.0.6 - Arbitrary File Deletion vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}


Subscriptions

Satinder Singh Contact Form Extender For Divi &#8211; Save Entries, File Upload &amp; Country Code Field
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T13:19:07.382Z

Reserved: 2026-04-15T09:20:32.457Z

Link: CVE-2026-40769

cve-icon Vulnrichment

Updated: 2026-06-16T13:18:30.573Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:49.477

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40769

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:07:36Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')