CVE-2026-32496

Vulnerability

Overview

The Spam Protect for Contact Form 7 plugin for WordPress (versions up to and including 1.2.9) contains an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [1]. This flaw allows an attacker to traverse outside the intended directory and delete arbitrary files on the server. The root cause is insufficient validation of user-supplied file paths before performing file deletion operations.

Exploitation

Attackers can exploit this vulnerability without authentication, making it accessible to anyone who can send crafted requests to the vulnerable plugin [1]. The attack vector is network-based, and no special privileges are required. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation could allow a malicious actor to delete arbitrary files from the affected WordPress site [1]. If core WordPress files are deleted, the site may break and stop functioning entirely. This could lead to a complete denial of service for the website.

Mitigation

The vulnerability has been patched in version 1.2.10 of the plugin [1]. Users are strongly advised to update immediately. For those unable to update, Patchstack has issued a mitigation rule to block attacks until the update is applied [1]. Hosting providers or web developers can assist with the update process.