CVE-2026-9187
Description
The Abandoned Contact Form 7 plugin for WordPress up to 2.2 allows unauthenticated attackers to permanently delete arbitrary posts via a missing capability check in the action__remove_abandoned() AJAX handler.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Abandoned Contact Form 7 plugin for WordPress up to 2.2 allows unauthenticated attackers to permanently delete arbitrary posts via a missing capability check in the `action__remove_abandoned()` AJAX handler.
Vulnerability
The vulnerability resides in the action__remove_abandoned() function of the Abandoned Contact Form 7 plugin (versions up to and including 2.2). The function is hooked to both wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned, making it accessible to unauthenticated users. It accepts a recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force_delete flag set to true [1]. There is no capability check, no nonce validation, and no verification that the provided ID belongs to the plugin's own cf7af_data custom post type. This allows an attacker to supply any post ID.
Exploitation
An unauthenticated attacker can send a single POST request to the WordPress admin-ajax endpoint with the action remove_abandoned and a recover_id parameter containing the ID of any post, page, or custom post type on the site. No authentication or user interaction is required. The attacker only needs to know or guess the target post ID. The function calls wp_delete_post() with true for force delete, so the post is permanently removed from the database without being moved to trash.
Impact
Successful exploitation results in permanent deletion of arbitrary WordPress content, including posts, pages, media attachments, or any custom post type. This can lead to data loss, defacement, or disruption of site functionality. The attacker does not need any privileges, and the deletion is irreversible unless a backup is restored. The CVSS v3 score is 5.3 (Medium) reflecting the lack of authentication but limited to deletion of content.
Mitigation
The vendor has not released a patched version as of the publication date (2026-06-16). Users of the Abandoned Contact Form 7 plugin version 2.2 or earlier should disable the plugin until a fix is available. There is no known workaround. The plugin may be considered abandoned; site administrators should evaluate alternative solutions. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.2+ 1 more
- (no CPE)range: <=2.2
- (no CPE)range: <=2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing capability check and missing nonce validation in the action__remove_abandoned() AJAX handler allows unauthenticated arbitrary post deletion."
Attack vector
An unauthenticated attacker sends a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `remove_abandoned` and a `recover_id` parameter containing the ID of any post or page on the WordPress site. The handler calls `wp_delete_post( $recover_id, true )` without any capability check, nonce validation, or verification that the ID belongs to the plugin's own `cf7af_data` post type. This permanently deletes the targeted content in a single request.
Affected code
The vulnerability resides in the `action__remove_abandoned()` function in `inc/class.cf7af.php` (lines 68–82 of the source shown in [ref_id=1] and [ref_id=2]). This function is registered to both the `wp_ajax_remove_abandoned` and `wp_ajax_nopriv_remove_abandoned` hooks, making it accessible to unauthenticated users.
What the fix does
The advisory states that the fix must add a capability check (e.g., `current_user_can('delete_posts')`) and a nonce validation before calling `wp_delete_post()`, and should also verify that the supplied `recover_id` corresponds to a post of the plugin's own `cf7af_data` post type. The patch is not shown in the bundle, but the remediation guidance is to implement these missing access controls.
Preconditions
- configThe Abandoned Contact Form 7 plugin must be installed and active on the WordPress site.
- authNo authentication required; the vulnerable AJAX handler is registered for both authenticated and unauthenticated users.
- inputAttacker must know or guess the ID of a post/page to delete, or can enumerate IDs.
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.phpnvd
- plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.phpnvd
- plugins.trac.wordpress.org/browser/abandoned-contact-form-7/tags/2.2/inc/class.cf7af.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a38ebdeb-6ab8-4f1d-9c13-39211a9e97b6nvd
News mentions
0No linked articles in our index yet.