Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).
AnalysisAI
Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.
Technical ContextAI
The affected component is the Yudiz-developed WP Contact Form 7 DB Handler plugin (CPE cpe:2.3:a:yudiz:wp_contact_form_7_db_handler), which stores Contact Form 7 submissions in the WordPress database. The root cause maps to CWE-352 (Cross-Site Request Forgery), but the impact is amplified by two secondary weaknesses visible in the referenced source lines (form-inner-page-class.php L589, L605, L607, L615): the process_bulk_action() function only calls wp_verify_nonce() inside a conditional that checks for the presence of _wpnonce in POST, so omitting the field skips the check entirely; the bulk action then concatenates a user-supplied ID into a WHERE ID = $ID clause without parameterization or numeric casting, and finally calls unserialize() on the returned post_content. PHP's unserialize() on attacker-controlled bytes triggers object/array instantiation, and array keys matching 'ys_cfdbh_file' are appended to the WordPress uploads path and passed to wp_delete_file() with no realpath or traversal validation.
RemediationAI
Upstream fix available (changeset 3520240 on the WordPress plugin repository); released patched version not independently confirmed from the supplied data, so administrators should upgrade to the latest version published after the referenced changeset and verify the installed version against the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/96cdba03-7385-4374-915d-061be0276a95. Until upgrading, the most reliable compensating control is to deactivate and remove the WP Contact Form 7 DB Handler plugin, accepting the trade-off that historical form submissions stored by the plugin will become inaccessible from the admin UI. If the plugin must remain active, restrict /wp-admin access to known IPs via a web application firewall or webserver ACL to prevent admin browsers from reaching attacker-controlled CSRF pages while logged in, and instruct administrators to log out of WordPress when not actively using it; also harden the filesystem so the webserver user cannot delete wp-config.php (chattr +i or equivalent immutable-bit protection on Linux), accepting that this will break legitimate plugin/core updates until the bit is cleared.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32736
GHSA-xf5m-7grh-3gvm