CVE-2026-6455
Description
The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in WP Contact Form 7 DB Handler ≤3.0 allows arbitrary file deletion via SQL injection and PHP object injection.
Vulnerability
The WP Contact Form 7 DB Handler plugin for WordPress versions up to and including 3.0 is vulnerable to a Cross-Site Request Forgery (CSRF) that leads to arbitrary file deletion via SQL injection and PHP object injection. The vulnerability resides in the process_bulk_action() function in form-inner-page-class.php [1]. The nonce check is only performed when the _wpnonce parameter is present in the POST body; if omitted, the check is bypassed. Additionally, a user-supplied value is used unsanitized in a numeric SQL context (WHERE ID = $ID), and the post_content field from the query result is deserialized without validation.
Exploitation
An attacker can craft a malicious page that, when visited by a logged-in administrator, triggers a CSRF request to the vulnerable endpoint. The attacker omits the _wpnonce field to bypass the nonce check. The request includes a UNION-based SQL injection payload using CHAR() to avoid quote-escaping by esc_sql(). This payload returns a row with a crafted serialized PHP array in the post_content column. Upon deserialization, the plugin iterates over array keys containing 'ys_cfdbh_file' and uses the corresponding values as file paths, appending them to the WordPress uploads directory without validating for path traversal. The resulting path is then passed to wp_delete_file(), deleting the targeted file.
Impact
A successful attack allows an unauthenticated attacker (via CSRF) to delete arbitrary files on the server, including sensitive files such as wp-config.php or system files, leading to complete site compromise and potential server takeover. The attacker gains the ability to delete any file writable by the web server user, with no privilege escalation beyond the administrator's session used in the CSRF.
Mitigation
As of the publication date (2026-05-28), no fixed version has been released. The vendor has not yet addressed the vulnerability. Users should disable the plugin until a patch is available. There is no known workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at this time.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=3.0+ 1 more
- (no CPE)range: <=3.0
- (no CPE)range: <=3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
10- plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-inner-page-class.phpnvd
- plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-inner-page-class.phpnvd
- plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-inner-page-class.phpnvd
- plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-inner-page-class.phpnvd
- plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner-page-class.phpnvd
- plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner-page-class.phpnvd
- plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner-page-class.phpnvd
- plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner-page-class.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/96cdba03-7385-4374-915d-061be0276a95nvd
News mentions
0No linked articles in our index yet.