WP Contact Form 7 DB Handler <= 3.0 - Cross-Site Request Forgery to Arbitrary File Deletion via 'contact_form' Parameter

CVE	CVE-2026-6455
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-28 08:16:36 UTC
Updated	2026-05-28 13:45:25 UTC
Description	The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).

Primary CVSS: v3.1 8.1 HIGH from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS: 0.000360000 probability, percentile 0.109600000 (date 2026-06-01)

Problem Types: CWE-352 | CWE-352 CWE-352 Cross-Site Request Forgery (CSRF)

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	8.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H`
3.1	CNA	DECLARED	8.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Source	Vendor	Product	Version	Platforms
CNA	Yudiz	WP Contact Form 7 DB Handler	affected 3.0 semver	Not specified

Reference	Source	Link	Tags
plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-in...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-in...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-in...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-in...	[email protected]	plugins.trac.wordpress.org
www.wordfence.com/threat-intel/vulnerabilities/id/96cdba03-7385-4374-915d-061be...	[email protected]	www.wordfence.com
plugins.trac.wordpress.org/changeset	[email protected]	plugins.trac.wordpress.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: Louis Deschanel (en)

CNA: Pascal SUN (en)

Source	Time	Event
CNA	2026-04-16T20:32:22.000Z	Vendor Notified
CNA	2026-05-27T18:05:02.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.