The plugin is vulnerable to arbitrary file deletion due to missing file path validation in the view_page function. A crafted POST parameter can cause PHP's JSON parser to reshape the key and bypass the existence check, enabling the deletion of any file referenced by a traversal string. Successful exploitation allows an attacker to delete critical files such as wp-config.php, potentially leading to remote code execution. The weakness is a classic path traversal flaw (CWE‑22).

All installations of the Database for Contact Form 7, WPforms, and Elementor forms plugin with versions 1.5.1 or earlier are affected. The vulnerability exists in the core deletion logic accessed from the plugin’s administrative interface.

The CVSS score of 8.1 indicates high severity. EPSS is not reported, and the vulnerability is not listed in CISA’s KEV catalog. Inference from the description points to an HTTP POST attack vector targeting the form entry view page, requiring the attacker to supply a malicious form entry that an administrator subsequently opens or edits. Once the administrator accesses the poisoned entry, the deletion executes automatically. Given the lack of a required pre-authentication step, unauthenticated attackers can initiate the exploit by creating the poisoned entry if they have write access to the plugin database. The exploit would most likely be performed by a site administrator who has previously compromised the site or by a malicious actor who can inject the entry via the form interface.