Abandoned Contact Form 7
Monthly
Unauthenticated arbitrary post deletion in the Abandoned Contact Form 7 WordPress plugin (versions ≤ 2.2) allows any remote attacker to permanently erase any post, page, or custom content type from an affected site by submitting a single crafted HTTP request. The plugin's AJAX handler is registered on the `wp_ajax_nopriv_remove_abandoned` hook without capability checks or nonce validation, exposing WordPress's `wp_delete_post()` with the force-delete flag set to true to unauthenticated callers who supply any valid post ID. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the trivially automatable, zero-prerequisite attack surface makes this a high-priority remediation target for any site running the vulnerable plugin version.
Unauthenticated arbitrary post deletion in the Abandoned Contact Form 7 WordPress plugin (versions ≤ 2.2) allows any remote attacker to permanently erase any post, page, or custom content type from an affected site by submitting a single crafted HTTP request. The plugin's AJAX handler is registered on the `wp_ajax_nopriv_remove_abandoned` hook without capability checks or nonce validation, exposing WordPress's `wp_delete_post()` with the force-delete flag set to true to unauthenticated callers who supply any valid post ID. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the trivially automatable, zero-prerequisite attack surface makes this a high-priority remediation target for any site running the vulnerable plugin version.