Skip to main content

WP Contact Form 7 DB Handler EUVDEUVD-2026-32736

| CVE-2026-6455 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-28 Wordfence GHSA-xf5m-7grh-3gvm
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 28, 2026 - 07:51 vuln.today
CVE Published
May 28, 2026 - 06:45 nvd
HIGH 8.1

DescriptionCVE.org

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).

AnalysisAI

Arbitrary file deletion in the WP Contact Form 7 DB Handler WordPress plugin (versions up to and including 3.0) can be achieved by chaining CSRF, UNION-based SQL injection, and PHP object deserialization. A remote unauthenticated attacker who lures a logged-in administrator to a malicious page can delete arbitrary server files, including wp-config.php, which typically forces the site into a re-installation state and enables full site takeover. No public exploit identified at time of analysis, though Wordfence's detailed write-up effectively documents the exploit chain.

Technical ContextAI

The affected component is the Yudiz-developed WP Contact Form 7 DB Handler plugin (CPE cpe:2.3:a:yudiz:wp_contact_form_7_db_handler), which stores Contact Form 7 submissions in the WordPress database. The root cause maps to CWE-352 (Cross-Site Request Forgery), but the impact is amplified by two secondary weaknesses visible in the referenced source lines (form-inner-page-class.php L589, L605, L607, L615): the process_bulk_action() function only calls wp_verify_nonce() inside a conditional that checks for the presence of _wpnonce in POST, so omitting the field skips the check entirely; the bulk action then concatenates a user-supplied ID into a WHERE ID = $ID clause without parameterization or numeric casting, and finally calls unserialize() on the returned post_content. PHP's unserialize() on attacker-controlled bytes triggers object/array instantiation, and array keys matching 'ys_cfdbh_file' are appended to the WordPress uploads path and passed to wp_delete_file() with no realpath or traversal validation.

RemediationAI

Upstream fix available (changeset 3520240 on the WordPress plugin repository); released patched version not independently confirmed from the supplied data, so administrators should upgrade to the latest version published after the referenced changeset and verify the installed version against the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/96cdba03-7385-4374-915d-061be0276a95. Until upgrading, the most reliable compensating control is to deactivate and remove the WP Contact Form 7 DB Handler plugin, accepting the trade-off that historical form submissions stored by the plugin will become inaccessible from the admin UI. If the plugin must remain active, restrict /wp-admin access to known IPs via a web application firewall or webserver ACL to prevent admin browsers from reaching attacker-controlled CSRF pages while logged in, and instruct administrators to log out of WordPress when not actively using it; also harden the filesystem so the webserver user cannot delete wp-config.php (chattr +i or equivalent immutable-bit protection on Linux), accepting that this will break legitimate plugin/core updates until the bit is cleared.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-32736 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy