Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nopriv hook confirms PR:N; deletion via HTTP confirms AV:N/AC:L; impact is integrity-only on plugin table with no confidentiality or availability effect.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. The handler is registered against both wp_ajax_cf7cdb_delete and wp_ajax_nopriv_cf7cdb_delete, and it performs no nonce verification, no capability check, and no ownership check before invoking $wpdb->delete() against the wp_cf7cdb_data table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs.
AnalysisAI
Unauthenticated data deletion in the Advanced Contact Form 7 - Compact DB WordPress plugin (versions up to and including 1.0.0) allows any remote attacker to permanently destroy all stored contact form submissions. The root cause is registration of the deletion handler against the wp_ajax_nopriv_cf7cdb_delete hook, which WordPress exposes to unauthenticated users, combined with a complete absence of nonce verification, capability checks, and ownership validation before invoking $wpdb->delete(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The only condition required for exploitation is that the Advanced Contact Form 7 - Compact DB plugin (versions up to 1.0.0) is installed and activated on a WordPress site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N accurately reflects the attack surface: network-reachable, no authentication, no complexity, low integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a POST request to `https://target.example.com/wp-admin/admin-ajax.php` with the body `action=cf7cdb_delete&id=1`, receiving confirmation of deletion. The attacker then iterates the `id` parameter from 1 to an arbitrarily large value in a loop, permanently destroying all contact form submission records. … |
| Remediation | No vendor-released patched version has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38663
GHSA-7v85-67q3-8qc9