Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Vendor's I:L understates impact; permanent force-deletion of arbitrary WordPress content with no trash recovery warrants I:H, and A:L reflects meaningful content availability degradation from bulk deletion.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax.
AnalysisAI
Unauthenticated arbitrary post deletion in the Abandoned Contact Form 7 WordPress plugin (versions ≤ 2.2) allows any remote attacker to permanently erase any post, page, or custom content type from an affected site by submitting a single crafted HTTP request. The plugin's AJAX handler is registered on the wp_ajax_nopriv_remove_abandoned hook without capability checks or nonce validation, exposing WordPress's wp_delete_post() with the force-delete flag set to true to unauthenticated callers who supply any valid post ID. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the trivially automatable, zero-prerequisite attack surface makes this a high-priority remediation target for any site running the vulnerable plugin version.
Technical ContextAI
The vulnerability resides in the action__remove_abandoned() method of the plugin class file class.cf7af.php (lines 49, 65, and 68 in the 2.2 tag per Wordfence and WordPress plugin repository references). WordPress's wp_ajax_nopriv_{action} hook mechanism allows unauthenticated HTTP clients to invoke registered AJAX handlers via POST to wp-admin/admin-ajax.php - a design intended for guest-facing functionality but exploitable when access controls are omitted. The handler reads $_POST['recover_id'] without sanitizing, type-checking, or ownership-validating the value, then passes it directly to wp_delete_post($recover_id, true). The boolean true argument forces permanent deletion, bypassing WordPress's trash/recycle mechanism entirely and making data recovery impossible without external backups. The missing authorization check (CWE-862) means the function never verifies that the supplied ID corresponds to the plugin's own cf7af_data post type, allowing any numeric WordPress object ID - posts, pages, attachments, or arbitrary custom post types - to be targeted. Affected product per CPE: cpe:2.3:a:zealopensource:abandoned_contact_form_7:*:*:*:*:*:*:*:* through and including version 2.2.
RemediationAI
No vendor-released patched version has been identified at time of analysis; all available references point exclusively to the vulnerable 2.2 tag with no newer release confirmed in the WordPress plugin repository. Site administrators should immediately deactivate and uninstall the Abandoned Contact Form 7 plugin until a fixed version is published by zealopensource - monitor the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/a38ebdeb-6ab8-4f1d-9c13-39211a9e97b6 for patch availability. As a targeted compensating control, a WAF rule blocking POST requests to wp-admin/admin-ajax.php where the action parameter equals remove_abandoned will neutralize this specific attack path with minimal side effects (the plugin's legitimate functionality will be disrupted, but the plugin should be deactivated regardless). Restricting unauthenticated access to admin-ajax.php at the web server level via nginx location rules or Apache .htaccess is a broader alternative but carries higher risk of breaking other plugins that legitimately use guest-facing AJAX handlers. Ensuring an offsite backup solution is current is essential given the permanent, unrecoverable nature of force-deletion.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37032
GHSA-ff4x-rgp2-vm8c