Advanced Contact Form 7 Compact Db
Monthly
Unauthenticated data deletion in the Advanced Contact Form 7 - Compact DB WordPress plugin (versions up to and including 1.0.0) allows any remote attacker to permanently destroy all stored contact form submissions. The root cause is registration of the deletion handler against the `wp_ajax_nopriv_cf7cdb_delete` hook, which WordPress exposes to unauthenticated users, combined with a complete absence of nonce verification, capability checks, and ownership validation before invoking `$wpdb->delete()`. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is trivially automatable due to sequential integer primary keys and no authentication barrier.
Unauthenticated data deletion in the Advanced Contact Form 7 - Compact DB WordPress plugin (versions up to and including 1.0.0) allows any remote attacker to permanently destroy all stored contact form submissions. The root cause is registration of the deletion handler against the `wp_ajax_nopriv_cf7cdb_delete` hook, which WordPress exposes to unauthenticated users, combined with a complete absence of nonce verification, capability checks, and ownership validation before invoking `$wpdb->delete()`. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is trivially automatable due to sequential integer primary keys and no authentication barrier.