Skip to main content

Contact Form Extender EUVDEUVD-2026-36978

| CVE-2026-40769 HIGH
Path Traversal (CWE-22)
2026-06-15 Patchstack GHSA-v5gh-23jx-pj59
8.6
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
vuln.today AI
8.6 HIGH

Network-reachable WordPress endpoint, no auth or interaction, low complexity; deletion affects core WordPress files beyond the plugin (scope change) with high availability impact and no direct C/I impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:H/SA:H

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:12 vuln.today

DescriptionCVE.org

Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi &#8211; Save Entries, File Upload &amp; Country Code Field <= 1.0.6 versions.

AnalysisAI

Unauthenticated arbitrary file deletion in the WordPress plugin Contact Form Extender for Divi (versions <= 1.0.6) allows remote attackers to delete arbitrary files on the host filesystem via a path traversal flaw. Deletion of critical files such as wp-config.php can force WordPress into setup mode, enabling site takeover. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

The affected component is a third-party WordPress plugin (Contact Form Extender for Divi - Save Entries, File Upload & Country Code Field) by Satinder Singh, which extends Divi Builder contact forms with file uploads and entry storage. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., path traversal): a file-handling endpoint accepts attacker-controlled path input without normalizing or constraining it to a safe directory, allowing references like '../../wp-config.php' to escape the intended upload/entry directory. Because the deletion code path is reachable without authentication, the plugin exposes filesystem-level operations to anonymous HTTP clients.

RemediationAI

No vendor-released patch identified at time of analysis from the provided data; administrators should monitor the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/contact-form-extender-for-divi-builder/vulnerability/wordpress-contact-form-extender-for-divi-save-entries-file-upload-country-code-field-plugin-1-0-6-arbitrary-file-deletion-vulnerability for a fixed release beyond 1.0.6. In the interim, deactivate and remove the plugin (the safest control, at the cost of losing form-extension functionality), or use a virtual-patching WAF rule (Patchstack, Wordfence, or equivalent) to block requests containing traversal sequences ('../', encoded variants) to the plugin's AJAX/REST endpoints - trade-off being potential false positives on legitimate file-name parameters. Restrict web-server filesystem permissions so the PHP process cannot delete wp-config.php or other core files, and take a verified backup of wp-config.php and uploads before any mitigation is applied.

Share

EUVD-2026-36978 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy