Skip to main content

Advanced Contact Form 7 Compact DB EUVDEUVD-2026-38663

| CVE-2026-12094 MEDIUM
Missing Authorization (CWE-862)
2026-06-24 Wordfence GHSA-7v85-67q3-8qc9
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

nopriv hook confirms PR:N; deletion via HTTP confirms AV:N/AC:L; impact is integrity-only on plugin table with no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 24, 2026 - 07:04 vuln.today
CVE Published
Jun 24, 2026 - 05:33 cve.org
MEDIUM 5.3

DescriptionCVE.org

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up to, and including, 1.0.0. The handler is registered against both wp_ajax_cf7cdb_delete and wp_ajax_nopriv_cf7cdb_delete, and it performs no nonce verification, no capability check, and no ownership check before invoking $wpdb->delete() against the wp_cf7cdb_data table with an attacker-supplied integer ID. This makes it possible for unauthenticated attackers to delete arbitrary contact form submission entries stored by the plugin by iterating sequential primary-key IDs.

AnalysisAI

Unauthenticated data deletion in the Advanced Contact Form 7 - Compact DB WordPress plugin (versions up to and including 1.0.0) allows any remote attacker to permanently destroy all stored contact form submissions. The root cause is registration of the deletion handler against the wp_ajax_nopriv_cf7cdb_delete hook, which WordPress exposes to unauthenticated users, combined with a complete absence of nonce verification, capability checks, and ownership validation before invoking $wpdb->delete(). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Confirm target WordPress site has plugin active
Delivery
Send unauthenticated POST to wp-admin/admin-ajax.php with action=cf7cdb_delete
Exploit
Pass integer id parameter, bypass absent capability and nonce checks
Execution
$wpdb->delete() removes target row from wp_cf7cdb_data
Impact
Iterate sequential IDs to wipe all stored form submissions

Vulnerability AssessmentAI

Exploitation The only condition required for exploitation is that the Advanced Contact Form 7 - Compact DB plugin (versions up to 1.0.0) is installed and activated on a WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.3 (Medium) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N accurately reflects the attack surface: network-reachable, no authentication, no complexity, low integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a POST request to `https://target.example.com/wp-admin/admin-ajax.php` with the body `action=cf7cdb_delete&id=1`, receiving confirmation of deletion. The attacker then iterates the `id` parameter from 1 to an arbitrarily large value in a loop, permanently destroying all contact form submission records. …
Remediation No vendor-released patched version has been identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38663 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy