Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Network-reachable WordPress endpoint, no auth or interaction, low complexity; deletion affects core WordPress files beyond the plugin (scope change) with high availability impact and no direct C/I impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field <= 1.0.6 versions.
AnalysisAI
Unauthenticated arbitrary file deletion in the WordPress plugin Contact Form Extender for Divi (versions <= 1.0.6) allows remote attackers to delete arbitrary files on the host filesystem via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
The affected component is a third-party WordPress plugin (Contact Form Extender for Divi - Save Entries, File Upload & Country Code Field) by Satinder Singh, which extends Divi Builder contact forms with file uploads and entry storage. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., path traversal): a file-handling endpoint accepts attacker-controlled path input without normalizing or constraining it to a safe directory, allowing references like '../../wp-config.php' to escape the intended upload/entry directory. Because the deletion code path is reachable without authentication, the plugin exposes filesystem-level operations to anonymous HTTP clients.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data; administrators should monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/contact-form-extender-for-divi-builder/vulnerability/wordpress-contact-form-extender-for-divi-save-entries-file-upload-country-code-field-plugin-1-0-6-arbitrary-file-deletion-vulnerability for a fixed release beyond 1.0.6. In the interim, deactivate and remove the plugin (the safest control, at the cost of losing form-extension functionality), or use a virtual-patching WAF rule (Patchstack, Wordfence, or equivalent) to block requests containing traversal sequences ('../', encoded variants) to the plugin's AJAX/REST endpoints - trade-off being potential false positives on legitimate file-name parameters. Restrict web-server filesystem permissions so the PHP process cannot delete wp-config.php or other core files, and take a verified backup of wp-config.php and uploads before any mitigation is applied.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36978
GHSA-v5gh-23jx-pj59