Description
The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).
Published: 2026-05-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The WP Contact Form 7 DB Handler plugin versions up to and including 3.0 allows an adversary to deploy a CSRF attack that triggers a UNION‑based SQL injection, exploits unsanitized numeric input, and deserializes a malicious PHP array. Because the plugin does not verify a security nonce when the _wpnonce field is omitted, an attacker can craft a page that convinces a logged‑in administrator to submit a payload. The faulty deserialization treats array keys containing 'ys_cfdbh_file' as file paths, which are concatenated with the uploads directory and passed to wp_delete_file, enabling deletion of any file on the server, such as wp‑config.php or core system files. This vulnerability is classified as CWE‑352, a Cross‑Site Request Forgery flaw.

Affected Systems

Any WordPress site that has the yudiz WP Contact Form 7 DB Handler plugin installed with a version number 3.0 or earlier is affected. The vulnerability impacts all users who manage the plugin on those sites, regardless of their role when the CSRF is triggered.

Risk and Exploitability

With a CVSS score of 8.1, the flaw presents a high severity risk. The EPSS score is not listed, so the current exploitation probability is unknown, but the flaw is not yet part of the CISA KEV catalog. The likely attack vector is a CSRF page prepared by an attacker; a logged‑in administrator must be tricked into visiting that page. The attack is trivial to execute from the attacker’s side and requires no additional pre‑conditions beyond the presence of an authenticated administrator. Once executed, the attacker can delete arbitrary files, compromising confidentiality, integrity, and availability of the site.

Generated by OpenCVE AI on May 28, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Contact Form 7 DB Handler plugin to a version newer than 3.0 that includes the CSRF nonce and input sanitization patch.
  • If an upgrade cannot be applied immediately, install a nonce verification check in the process_bulk_action routine and enforce integer casting on the ID parameter to prevent injection.
  • Deploy a web application firewall rule set that blocks UNION SELECT patterns and rejects unserialized PHP array payloads, and restrict file deletion rights so that only essential files can be removed by wp_delete_file.

Generated by OpenCVE AI on May 28, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).
Title WP Contact Form 7 DB Handler <= 3.0 - Cross-Site Request Forgery to Arbitrary File Deletion via 'contact_form' Parameter
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:34:08.834Z

Reserved: 2026-04-16T20:17:12.219Z

Link: CVE-2026-6455

cve-icon Vulnrichment

Updated: 2026-05-28T10:34:03.210Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T08:16:36.477

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-6455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T08:30:12Z

Weaknesses